search

frappe / press

Full service cloud hosting for the Frappe stack - powers Frappe Cloud
https://frappe.cloud
GNU Affero General Public License v3.0
256 stars 183 forks source link

possible bug in signup dialog PW verification #671

Closed flypenguin closed 1 year ago

flypenguin commented 1 year ago

Description of the issue

bad password registering dialog on frappecloud.com

Context information (for bug reports)

i don't know if this is configuration, but it's broken.

Steps to reproduce the issue

  1. open https://frappecloud.com/frappe/signup
  2. enter your data, and this password: !NW4Ucun2^mmxt8SU%bsGd%4
  3. see this error message: "Bad Password! The password length should be atleast 8 characters and it should contain a combination of capital letters, small letters, numbers and symbols"
  4. be confused

Observed result

error message

Expected result

account signup

Additional information

firefox, the given URL above

flypenguin commented 1 year ago

on a hunch i tried a shorter password. works then. this is a bug, cause you should be shown the correct reason for the error.

ankush commented 1 year ago

Seems to pass password strength checks in frappe :thinking: 

In [2]: test_password_strength("!NW4Ucun2^mmxt8SU%bsGd%4")
Out[2]:
{'password': '!NW4Ucun2^mmxt8SU%bsGd%4',
 'guesses': 1000000000000000000000001,
 'guesses_log10': 23.999999999999996,
 'sequence': [{'pattern': 'bruteforce',
   'token': '!NW4Ucun2^mmxt8SU%bsGd%4',
   'i': 0,
   'j': 23,
   'guesses': 1000000000000000000000000,
   'guesses_log10': 23.999999999999996}],
 'calc_time': datetime.timedelta(microseconds=4709),
 'crack_times_seconds': {'online_throttling_100_per_hour': Decimal('36000000000000001998401480.33'),
  'online_no_throttling_10_per_second': Decimal('100000000000000000000000.1'),
  'offline_slow_hashing_1e4_per_second': Decimal('100000000000000000000.0001'),
  'offline_fast_hashing_1e10_per_second': Decimal('100000000000000.0000000001')},
 'crack_times_display': {'online_throttling_100_per_hour': 'centuries',
  'online_no_throttling_10_per_second': 'centuries',
  'offline_slow_hashing_1e4_per_second': 'centuries',
  'offline_fast_hashing_1e10_per_second': 'centuries'},
 'score': 4,
 'feedback': {'warning': '', 'suggestions': []}}
ankush commented 1 year ago

nvm it's custom function here: https://github.com/frappe/press/blob/de7061ec477332d7570d1fa842f6a67835219e6e/press/www/erpnext/signup.html#L217

shadrak98 commented 1 year ago

the password strength checks internally validates for max 20 chars only. extended the limit to 35 chars https://github.com/frappe/press/commit/a43babf98894b3c4d1c82ebd2a55943184856370