diff --git a/app/auth.py b/app/auth.py index d72ee59..2d75406 100644 --- a/app/auth.py +++ b/app/auth.py @@ -7,6 +7,7 @@ from sqlmodel import Session, select from .db import get_session from .models import User +BCRYPT_MAX_BYTES = 72 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @@ -20,6 +21,14 @@ def verify_password(plain_password: str, hashed_password: str) -> bool: return pwd_context.verify(plain_password, hashed_password) +def password_too_long(password: str) -> bool: + """Return True if password exceeds bcrypt's 72-byte limit.""" + try: + return len(password.encode("utf-8")) > BCRYPT_MAX_BYTES + except Exception: + return True + + def get_current_user( request: Request, session: Session = Depends(get_session), diff --git a/app/main.py b/app/main.py index 6ecb272..deb8c29 100644 --- a/app/main.py +++ b/app/main.py @@ -21,6 +21,7 @@ from .utils import ( from .auth import ( hash_password, verify_password, + password_too_long, get_current_user, require_current_user, require_admin, @@ -142,6 +143,8 @@ def register( error = None if password != password_confirm: error = "Passwords do not match." + elif password_too_long(password): + error = "Passwort ist zu lang (max. 72 Bytes). Bitte kürzer wählen." else: existing = session.exec( select(User).where(User.username == username) @@ -221,6 +224,19 @@ def login( status_code=400, ) + if password_too_long(password): + token = ensure_csrf_token(request) + return templates.TemplateResponse( + "login.html", + { + "request": request, + "error": "Passwort ist zu lang (max. 72 Bytes).", + "current_user": None, + "csrf_token": token, + }, + status_code=400, + ) + user = session.exec(select(User).where(User.username == username)).first() error = None if not user or not verify_password(password, user.password_hash):