diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index da4c3a2ce11362de844102a64e9b2c3e7880feda..9f69e0d2c5eccb3a3d9fed0a742cb7d5f88f0d1f 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -99,9 +99,16 @@ function setup(app) {
* the staged user account transitions to a valid user account */
app.post('/wsapi/stage_user', checkParams([ "email", "pass", "pubkey", "site" ]), function(req, resp) {
- // bcrypt the password
// we should be cloning this object here.
var stageParams = req.body;
+
+ // issue #155, valid password length is between 8 and 80 chars.
+ if (stageParams.pass.length < 8 || stageParams.pass.length > 80) {
+ httputils.badRequest(resp, "valid passwords are between 8 and 80 chars");
+ return;
+ }
+
+ // bcrypt the password
stageParams['hash'] = bcrypt.encrypt_sync(stageParams.pass, bcrypt.gen_salt_sync(10));
try {
diff --git a/browserid/static/dialog/controllers/createaccount_controller.js b/browserid/static/dialog/controllers/createaccount_controller.js
index 50ba5cdb0fae1d0970bfc8268b273cc0ec714388..67e5d9b56b171588b9e9ad93c251bf4dee5dde77 100644
--- a/browserid/static/dialog/controllers/createaccount_controller.js
+++ b/browserid/static/dialog/controllers/createaccount_controller.js
@@ -146,8 +146,10 @@
} else {
if (!pass) {
self.find('#enter_a_password').show();
- } else if (pass.length < 5) {
+ } else if (pass.length < 8) {
self.find('#password_too_short').show();
+ } else if (pass.length > 80) {
+ self.find('#password_too_long').show();
} else {
self.find('#password_ok').show();
$('#create_continue').removeClass('disabled');
diff --git a/browserid/static/dialog/controllers/forgotpassword_controller.js b/browserid/static/dialog/controllers/forgotpassword_controller.js
index e7037030ce96854af915f047ec94bf82168bfc05..0726de3b9415b667ab6375fb392445fc504007c4 100644
--- a/browserid/static/dialog/controllers/forgotpassword_controller.js
+++ b/browserid/static/dialog/controllers/forgotpassword_controller.js
@@ -63,8 +63,10 @@
} else {
if (!pass) {
self.find("#enter_a_password").show();
- } else if (pass.length < 5) {
+ } else if (pass.length < 8) {
self.find("#password_too_short").show();
+ } else if (pass.length > 80) {
+ self.find("#password_too_long").show();
} else {
self.find("#password_ok").show();
$("#create_continue").removeClass("disabled");
diff --git a/browserid/static/dialog/views/create.ejs b/browserid/static/dialog/views/create.ejs
index 16b4c58849199d9a779542e5caadc38013c22d37..14b29914bd5ea3ce94b4b171b61394eca4f71931 100644
--- a/browserid/static/dialog/views/create.ejs
+++ b/browserid/static/dialog/views/create.ejs
@@ -17,6 +17,7 @@
<span class="note passwordnote" id="enter_a_password"><span class="bad">Enter a password</span></span>
<span class="note passwordnote" id="passwords_different" style="display:none;"><span class="bad">Passwords different</span></span>
<span class="note passwordnote" id="password_too_short" style="display:none;"><span class="bad">Password too short</span></span>
+ <span class="note passwordnote" id="password_too_long" style="display:none;"><span class="bad">Password too long</span></span>
<span class="note passwordnote" id="password_ok" style="display:none;"><span class="good">Password OK</span></span>
</div>
<div class="attention_lame" style="display:none;" id="emailinuse_message">
diff --git a/browserid/static/dialog/views/forgotpassword.ejs b/browserid/static/dialog/views/forgotpassword.ejs
index 9a038b93d5220d81c01a6db54a4f05cdfb2e625b..d9d7948b3197143e22dd0086cded056004350c59 100644
--- a/browserid/static/dialog/views/forgotpassword.ejs
+++ b/browserid/static/dialog/views/forgotpassword.ejs
@@ -15,6 +15,7 @@
<span class="note passwordnote" id="enter_a_password"><span class="bad">Enter a password</span></span>
<span class="note passwordnote" id="passwords_different" style="display:none;"><span class="bad">Passwords different</span></span>
<span class="note passwordnote" id="password_too_short" style="display:none;"><span class="bad">Password too short</span></span>
+ <span class="note passwordnote" id="password_too_long" style="display:none;"><span class="bad">Password too long</span></span>
<span class="note passwordnote" id="password_ok" style="display:none;"><span class="good">Password OK</span></span>
</div>
<div class="attention_lame" style="display:none;" id="emailinuse_message">
diff --git a/browserid/tests/password-length-test.js b/browserid/tests/password-length-test.js
new file mode 100755
index 0000000000000000000000000000000000000000..3b297685203c9217f5aab2bab2d35894809c1393
--- /dev/null
+++ b/browserid/tests/password-length-test.js
@@ -0,0 +1,97 @@
+#!/usr/bin/env node
+
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla BrowserID.
+ *
+ * The Initial Developer of the Original Code is Mozilla.
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+const assert = require('assert'),
+vows = require('vows'),
+start_stop = require('./lib/start-stop.js'),
+wsapi = require('./lib/wsapi.js'),
+interceptor = require('./lib/email-interceptor.js');
+
+var suite = vows.describe('password-length');
+
+// disable vows (often flakey?) async error behavior
+suite.options.error = false;
+
+start_stop.addStartupBatches(suite);
+
+// ever time a new token is sent out, let's update the global
+// var 'token'
+var token = undefined;
+interceptor.onEmail = function(newtok) { token = newtok; };
+
+// create a new account via the api with (first address)
+suite.addBatch({
+ "a password that is too short": {
+ topic: wsapi.post('/wsapi/stage_user', {
+ email: 'first@fakeemail.com',
+ pass: '0123456', // less than 8 chars, invalid
+ pubkey: 'fakepubkey',
+ site:'fakesite.com'
+ }),
+ "causes a HTTP error response": function(r, err) {
+ assert.equal(r.code, 400);
+ }
+ },
+ "a password that is too long": {
+ topic: wsapi.post('/wsapi/stage_user', {
+ email: 'second@fakeemail.com',
+ pass: '012345678901234567890123456789012345678901234567890123456789012345678901234567891', // more than 81 chars, invalid.
+ pubkey: 'fakepubkey',
+ site:'fakesite.com'
+ }),
+ "causes a HTTP error response": function(r, err) {
+ assert.equal(r.code, 400);
+ }
+ },
+ "but a password that is just right": {
+ topic: wsapi.post('/wsapi/stage_user', {
+ email: 'third@fakeemail.com',
+ pass: 'ahhh. this is just right.', // valid.
+ pubkey: 'fakepubkey',
+ site:'fakesite.com'
+ }),
+ "causes a HTTP error response": function(r, err) {
+ assert.equal(r.code, 200);
+ }
+ }
+});
+
+start_stop.addShutdownBatches(suite);
+
+// run or export the suite.
+if (process.argv[1] === __filename) suite.run();
+else suite.export(module);