From de759bbc1b569a5547e21bd5ca20ad218775d57f Mon Sep 17 00:00:00 2001
From: Shane Tomlinson <stomlinson@mozilla.com>
Date: Mon, 16 Jul 2012 14:54:21 +0100
Subject: [PATCH] Before authenticating, check password length.

---
 resources/static/common/js/browserid.js       |  6 +++++-
 resources/static/common/js/user.js            |  8 ++++++++
 resources/static/test/cases/common/js/user.js | 16 ++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/resources/static/common/js/browserid.js b/resources/static/common/js/browserid.js
index 5f6623876..cf4e9f167 100644
--- a/resources/static/common/js/browserid.js
+++ b/resources/static/common/js/browserid.js
@@ -14,6 +14,10 @@
     // no sense since no component of this is 128 bits
     // so making this 160 as per DSA 1024/160
     // EXCEPT, for backwards compatibility this is still 128 for now
-    KEY_LENGTH: 128
+    KEY_LENGTH: 128,
+
+    PASSWORD_MIN_LENGTH: 8,
+    PASSWORD_MAX_LENGTH: 80
+
   });
 }());
diff --git a/resources/static/common/js/user.js b/resources/static/common/js/user.js
index 5438da179..babc59229 100644
--- a/resources/static/common/js/user.js
+++ b/resources/static/common/js/user.js
@@ -836,6 +836,14 @@ BrowserID.User = (function() {
      * @param {function} [onFailure] - Called on error.
      */
     authenticate: function(email, password, onComplete, onFailure) {
+      // password is out of length range.  Don't even send the request
+      // and waste backend cycles. See issue #2032.
+      if (password.length < bid.PASSWORD_MIN_LENGTH
+       || password.length > bid.PASSWORD_MAX_LENGTH) {
+        complete(onComplete, false);
+        return;
+      }
+
       network.authenticate(email, password, function(authenticated) {
         setAuthenticationStatus(authenticated);
 
diff --git a/resources/static/test/cases/common/js/user.js b/resources/static/test/cases/common/js/user.js
index 1911f69a2..f39ed418c 100644
--- a/resources/static/test/cases/common/js/user.js
+++ b/resources/static/test/cases/common/js/user.js
@@ -630,6 +630,22 @@
   });
 
 
+  asyncTest("authenticate with too short a password - user not authenticated", function() {
+    var password = testHelpers.generateString(bid.PASSWORD_MIN_LENGTH - 1);
+    lib.authenticate(TEST_EMAIL, password, function onComplete(authenticated) {
+      equal(false, authenticated, "invalid authentication.");
+      start();
+    }, testHelpers.unexpectedXHRFailure);
+  });
+
+  asyncTest("authenticate with too long a password - user not authenticated", function() {
+    var password = testHelpers.generateString(bid.PASSWORD_MAX_LENGTH + 1);
+    lib.authenticate(TEST_EMAIL, password, function onComplete(authenticated) {
+      equal(false, authenticated, "invalid authentication.");
+      start();
+    }, testHelpers.unexpectedXHRFailure);
+  });
+
   asyncTest("authenticate with invalid credentials", function() {
     xhr.useResult("invalid");
     lib.authenticate(TEST_EMAIL, "testuser", function onComplete(authenticated) {
-- 
GitLab