From dd98669c1904309fce17fe990ca26ca3d24c87a0 Mon Sep 17 00:00:00 2001 From: Sinan Date: Tue, 12 Nov 2024 20:44:45 +0530 Subject: [PATCH 1/4] Password validtion added to prevent security issue with bcrypt hashing --- apps/api/src/app/auth/dtos/register-user.dto.ts | 3 ++- apps/api/src/app/auth/dtos/reset-password.dto.ts | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apps/api/src/app/auth/dtos/register-user.dto.ts b/apps/api/src/app/auth/dtos/register-user.dto.ts index 108541f68..0761f500e 100644 --- a/apps/api/src/app/auth/dtos/register-user.dto.ts +++ b/apps/api/src/app/auth/dtos/register-user.dto.ts @@ -1,5 +1,5 @@ import { ApiProperty } from '@nestjs/swagger'; -import { IsDefined, IsString, IsEmail, IsOptional } from 'class-validator'; +import { IsDefined, IsString, IsEmail, IsOptional, MaxLength } from 'class-validator'; export class RegisterUserDto { @ApiProperty({ @@ -28,6 +28,7 @@ export class RegisterUserDto { }) @IsString() @IsDefined() + @MaxLength(70) password: string; @ApiProperty({ diff --git a/apps/api/src/app/auth/dtos/reset-password.dto.ts b/apps/api/src/app/auth/dtos/reset-password.dto.ts index 93412696e..a19807502 100644 --- a/apps/api/src/app/auth/dtos/reset-password.dto.ts +++ b/apps/api/src/app/auth/dtos/reset-password.dto.ts @@ -1,9 +1,10 @@ import { ApiProperty } from '@nestjs/swagger'; -import { IsDefined, IsString, IsUUID } from 'class-validator'; +import { IsDefined, IsString, IsUUID, MaxLength } from 'class-validator'; export class ResetPasswordDto { @IsString() @IsDefined() + @MaxLength(70) @ApiProperty({ description: 'New password of the user', }) From 9723914c8d878a4f3daabf826709b6c1e9252b58 Mon Sep 17 00:00:00 2001 From: Sinan Date: Fri, 15 Nov 2024 09:49:45 +0530 Subject: [PATCH 2/4] backend validation changed to 24 --- apps/api/src/app/auth/dtos/register-user.dto.ts | 2 +- apps/api/src/app/auth/dtos/reset-password.dto.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/api/src/app/auth/dtos/register-user.dto.ts b/apps/api/src/app/auth/dtos/register-user.dto.ts index 0761f500e..ed0fc7222 100644 --- a/apps/api/src/app/auth/dtos/register-user.dto.ts +++ b/apps/api/src/app/auth/dtos/register-user.dto.ts @@ -28,7 +28,7 @@ export class RegisterUserDto { }) @IsString() @IsDefined() - @MaxLength(70) + @MaxLength(24) password: string; @ApiProperty({ diff --git a/apps/api/src/app/auth/dtos/reset-password.dto.ts b/apps/api/src/app/auth/dtos/reset-password.dto.ts index a19807502..2d03c5e10 100644 --- a/apps/api/src/app/auth/dtos/reset-password.dto.ts +++ b/apps/api/src/app/auth/dtos/reset-password.dto.ts @@ -4,7 +4,7 @@ import { IsDefined, IsString, IsUUID, MaxLength } from 'class-validator'; export class ResetPasswordDto { @IsString() @IsDefined() - @MaxLength(70) + @MaxLength(24) @ApiProperty({ description: 'New password of the user', }) From 9f8e3e447cf60aaad8fbf245e2dd27212eec2b6c Mon Sep 17 00:00:00 2001 From: Sinan Date: Fri, 15 Nov 2024 15:01:23 +0530 Subject: [PATCH 3/4] added max length validtion on reset and register fows --- apps/web/config/constants.config.ts | 3 ++- apps/web/hooks/auth/useResetPassword.tsx | 15 +++++++++++++-- apps/web/hooks/auth/useSignup.tsx | 11 +++++++++-- apps/web/pages/auth/reset/[token].tsx | 6 +++--- 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/apps/web/config/constants.config.ts b/apps/web/config/constants.config.ts index 9ab32ab18..c16770ddd 100644 --- a/apps/web/config/constants.config.ts +++ b/apps/web/config/constants.config.ts @@ -24,6 +24,7 @@ export const CONSTANTS = { 'An error occurred with the payment. No amount has been deducted. Please try again later or contact the support team.', SUBSCRIPTION_ACTIVATED_TITLE: 'Subscription activated', SUBSCRIPTION_FAILED_TITLE: 'Payment failed', + MAX_PASSWORD_LENGTH: 24 }; export const VARIABLES = { @@ -463,7 +464,7 @@ export enum PLANCODEENUM { GROWTH_YEARLY = 'GROWTH-YEARLY', STARTER = 'STARTER', } -export const plans: { monthly: Plan[]; yearly: Plan[] } = { +export const plans: { monthly: Plan[]; yearly: Plan[]; } = { monthly: [ { name: 'Starter (Default)', diff --git a/apps/web/hooks/auth/useResetPassword.tsx b/apps/web/hooks/auth/useResetPassword.tsx index f5ee592af..8747dbe7e 100644 --- a/apps/web/hooks/auth/useResetPassword.tsx +++ b/apps/web/hooks/auth/useResetPassword.tsx @@ -3,7 +3,7 @@ import { useRouter } from 'next/router'; import { useForm } from 'react-hook-form'; import { useMutation } from '@tanstack/react-query'; -import { API_KEYS, ROUTES } from '@config'; +import { API_KEYS, CONSTANTS, ROUTES } from '@config'; import { commonApi } from '@libs/api'; import { IErrorObject, ILoginResponse, SCREENS } from '@impler/shared'; import { track } from '@libs/amplitude'; @@ -19,7 +19,11 @@ interface IResetPasswordData extends IResetPasswordFormData { export function useResetPassword() { const { push, query } = useRouter(); - const { register, handleSubmit } = useForm(); + const { + register, + handleSubmit, + setError, + formState: { errors }, } = useForm(); const { mutate: resetPassword, isLoading: isResetPasswordLoading, @@ -49,6 +53,12 @@ export function useResetPassword() { }; const onResetPassword = (data: IResetPasswordFormData) => { + if (data.password && data.password.length > CONSTANTS.MAX_PASSWORD_LENGTH) { + setError("password", { + type: "manual", + message: `Password length must be less than ${CONSTANTS.MAX_PASSWORD_LENGTH}!` + }); + } resetPassword({ ...data, token: query.token as string, @@ -57,6 +67,7 @@ export function useResetPassword() { return { error, + errors, isError, register, goToLogin, diff --git a/apps/web/hooks/auth/useSignup.tsx b/apps/web/hooks/auth/useSignup.tsx index af4db2744..29f5d2721 100644 --- a/apps/web/hooks/auth/useSignup.tsx +++ b/apps/web/hooks/auth/useSignup.tsx @@ -5,7 +5,7 @@ import { useForm } from 'react-hook-form'; import { useMutation, useQuery } from '@tanstack/react-query'; import { notify } from '@libs/notify'; -import { API_KEYS, NOTIFICATION_KEYS, ROUTES } from '@config'; +import { API_KEYS, CONSTANTS, NOTIFICATION_KEYS, ROUTES } from '@config'; import { commonApi } from '@libs/api'; import { track } from '@libs/amplitude'; import { useAppState } from 'store/app.context'; @@ -40,7 +40,7 @@ export function useSignup() { const [isInvitationLink, setIsInvitationLink] = useState(); const invitationId = query.invitationId as string | undefined; - const { isLoading: isAcceptingInvitation, isError } = useQuery( + const { isLoading: isAcceptingInvitation, isError } = useQuery( [API_KEYS.GET_TEAM_INVITATIONS, invitationId], () => commonApi(API_KEYS.GET_TEAM_INVITATIONS as any, { @@ -99,6 +99,13 @@ export function useSignup() { }); const onSignup = (data: ISignupFormData) => { + if (data.password && data.password.length > CONSTANTS.MAX_PASSWORD_LENGTH) { + setError("password", { + type: "manual", + message: `Password length must be less than ${CONSTANTS.MAX_PASSWORD_LENGTH}!` + }); + return; + } const signupData: ISignupData = { firstName: data.fullName.split(' ')[0], lastName: data.fullName.split(' ')[1], diff --git a/apps/web/pages/auth/reset/[token].tsx b/apps/web/pages/auth/reset/[token].tsx index 78310ac28..e266a86f3 100644 --- a/apps/web/pages/auth/reset/[token].tsx +++ b/apps/web/pages/auth/reset/[token].tsx @@ -9,8 +9,8 @@ import { OnboardLayout } from '@layouts/OnboardLayout'; import { useResetPassword } from '@hooks/auth/useResetPassword'; import { PLACEHOLDERS, ROUTES, colors } from '@config'; -export default function ResetPasswordPage({}) { - const { register, resetPassword, error, isError } = useResetPassword(); +export default function ResetPasswordPage({ }) { + const { register, resetPassword, error, isError, errors } = useResetPassword(); return ( <> @@ -46,7 +46,7 @@ export default function ResetPasswordPage({}) { {isError && ( - {error?.message} + {error?.message || errors.password.message} )} From 5e35142e24e81b5a21448cedb896678f5c2dcb52 Mon Sep 17 00:00:00 2001 From: Sinan Date: Fri, 15 Nov 2024 15:06:41 +0530 Subject: [PATCH 4/4] error showing updated --- apps/web/pages/auth/reset/[token].tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/web/pages/auth/reset/[token].tsx b/apps/web/pages/auth/reset/[token].tsx index e266a86f3..1b8bae9ab 100644 --- a/apps/web/pages/auth/reset/[token].tsx +++ b/apps/web/pages/auth/reset/[token].tsx @@ -44,7 +44,7 @@ export default function ResetPasswordPage({ }) { Back to Signin - {isError && ( + {isError || errors.password.message && ( {error?.message || errors.password.message}