From 1ac15637913df46cf47f59fd304a79fbf2e77836 Mon Sep 17 00:00:00 2001
From: Evert Pot <me@evertpot.com>
Date: Mon, 10 Feb 2025 22:03:35 -0500
Subject: [PATCH] Fix an issue with lost password on MariaDB (#622)

---
 changelog.md        |  3 +++
 src/user/service.ts | 12 +++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/changelog.md b/changelog.md
index 4f7b214d..dd8a818b 100644
--- a/changelog.md
+++ b/changelog.md
@@ -13,6 +13,9 @@ Changelog
 * This small refactoring allows us to emit `too_many_failed_login_attempts`
   from the `authorization_challenge` system. Before, it emitted
   `invalid_username_or_password` which is confusing.
+* Limit passwords to 72 characters to avoid issues with bcrypt trunctating the
+  input.
+* Fix an issue with lost password not working on MariaDB.
 
 
 0.29.0 (2025-02-07)
diff --git a/src/user/service.ts b/src/user/service.ts
index e51c5385..2c002adb 100644
--- a/src/user/service.ts
+++ b/src/user/service.ts
@@ -20,12 +20,15 @@ export async function createPassword(user: User, password: string): Promise<void
 export async function updatePassword(user: User, password: string): Promise<void> {
 
   assertValidPassword(password);
+  const passwordHash = await bcrypt.hash(password, 12);
   await db('user_passwords').insert({
     user_id: user.id,
-    password: await bcrypt.hash(password, 12)
+    password: passwordHash,
   })
-    .onConflict('user_id')
-    .merge();
+  .onConflict('user_id')
+  .merge({
+    password: passwordHash,
+  });
 
 }
 
@@ -69,6 +72,9 @@ function assertValidPassword(password: string) {
   if (password.length < 8) {
     throw new UnprocessableContent('Passwords must be at least 8 characters');
   }
+  if (password.length > 72) {
+    throw new UnprocessableContent('Passwords must be at most 72 characters');
+  }
 
 }