cedricbonhomme / newspipe

A web news aggregator.
https://www.newspipe.org
GNU Affero General Public License v3.0
437 stars 41 forks source link

Length control on admin password #64

Closed sfermigier closed 9 months ago

sfermigier commented 9 months ago

This can lead to trouble, e.g. if I run:

flask create_admin --nickname admin --password admin

then I can't log-in.

The admin password is only 5 characters long, and the signin for has a constraint on 6 chars min.

class SigninForm(RedirectForm):
    ...
    password = PasswordField(
        lazy_gettext("Password"),
        [
            validators.DataRequired(lazy_gettext("Please enter a password.")),
            validators.Length(min=6, max=500),
        ],
    )

If the constraint is relevant for a sign-in form (not sure it is), then it should also be enforced in flask create_admin. Or it should be dropped altogether.

cedricbonhomme commented 9 months ago

Indeed, I remember this issue... Maybe I could keep the check on the minimum size of the password only for the sign-up form. When a user wants to create an account (or update the password). And remove the size check for the sign-in form.

I like that it is possible to create "weak" password via the flask command. So I will keep it without size check. Or a warning message (a bit like Django is doing).

I used to use a function in order to really check if a password is complex enough, not only checking its size. Maybe I should implement it again.