Fix an issue with lost password on MariaDB (#622)

curveball · Feb 11, 2025 · 1ac1563 · 1ac1563
1 parent c58de2b
commit 1ac1563
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/changelog.md b/changelog.md
@@ -13,6 +13,9 @@ Changelog
 * This small refactoring allows us to emit `too_many_failed_login_attempts`
   from the `authorization_challenge` system. Before, it emitted
   `invalid_username_or_password` which is confusing.
+* Limit passwords to 72 characters to avoid issues with bcrypt trunctating the
+  input.
+* Fix an issue with lost password not working on MariaDB.
 
 
 0.29.0 (2025-02-07)

diff --git a/src/user/service.ts b/src/user/service.ts
@@ -20,12 +20,15 @@ export async function createPassword(user: User, password: string): Promise<void
 export async function updatePassword(user: User, password: string): Promise<void> {
 
   assertValidPassword(password);
+  const passwordHash = await bcrypt.hash(password, 12);
   await db('user_passwords').insert({
     user_id: user.id,
-    password: await bcrypt.hash(password, 12)
+    password: passwordHash,
   })
-    .onConflict('user_id')
-    .merge();
+  .onConflict('user_id')
+  .merge({
+    password: passwordHash,
+  });
 
 }
 
@@ -69,6 +72,9 @@ function assertValidPassword(password: string) {
   if (password.length < 8) {
     throw new UnprocessableContent('Passwords must be at least 8 characters');
   }
+  if (password.length > 72) {
+    throw new UnprocessableContent('Passwords must be at most 72 characters');
+  }
 
 }