Before authenticating, check password length.

de759bbc · Shane Tomlinson · 80db7784 · de759bbc · de759bbc · de759bbc
Commit de759bbc authored 12 years ago by Shane Tomlinson
--- a/resources/static/common/js/browserid.js
+++ b/resources/static/common/js/browserid.js
@@ -14,6 +14,10 @@
    // no sense since no component of this is 128 bits
    // so making this 160 as per DSA 1024/160
    // EXCEPT, for backwards compatibility this is still 128 for now
-    KEY_LENGTH: 128
+    KEY_LENGTH: 128,
+
+    PASSWORD_MIN_LENGTH: 8,
+    PASSWORD_MAX_LENGTH: 80
+
  });
 }());
--- a/resources/static/common/js/user.js
+++ b/resources/static/common/js/user.js
@@ -836,6 +836,14 @@ BrowserID.User = (function() {
     * @param {function} [onFailure] - Called on error.
     */
    authenticate: function(email, password, onComplete, onFailure) {
+      // password is out of length range.  Don't even send the request
+      // and waste backend cycles. See issue #2032.
+      if (password.length < bid.PASSWORD_MIN_LENGTH
+       || password.length > bid.PASSWORD_MAX_LENGTH) {
+        complete(onComplete, false);
+        return;
+      }
+
      network.authenticate(email, password, function(authenticated) {
        setAuthenticationStatus(authenticated);


--- a/resources/static/test/cases/common/js/user.js
+++ b/resources/static/test/cases/common/js/user.js
@@ -630,6 +630,22 @@
  });


+  asyncTest("authenticate with too short a password - user not authenticated", function() {
+    var password = testHelpers.generateString(bid.PASSWORD_MIN_LENGTH - 1);
+    lib.authenticate(TEST_EMAIL, password, function onComplete(authenticated) {
+      equal(false, authenticated, "invalid authentication.");
+      start();
+    }, testHelpers.unexpectedXHRFailure);
+  });
+
+  asyncTest("authenticate with too long a password - user not authenticated", function() {
+    var password = testHelpers.generateString(bid.PASSWORD_MAX_LENGTH + 1);
+    lib.authenticate(TEST_EMAIL, password, function onComplete(authenticated) {
+      equal(false, authenticated, "invalid authentication.");
+      start();
+    }, testHelpers.unexpectedXHRFailure);
+  });
+
  asyncTest("authenticate with invalid credentials", function() {
    xhr.useResult("invalid");
    lib.authenticate(TEST_EMAIL, "testuser", function onComplete(authenticated) {