go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.82k stars 5.47k forks source link

Passwords unable to be over 64 characters #31911

Open VetheonGames opened 2 months ago

VetheonGames commented 2 months ago

Description

Hey everyone,

A user recently reported a strange error to me, where they could set a password of over 64 characters, and login one time, then it won't let them login again, stating they are using the wrong password.

It took us quite a bit of troubleshooting to narrow it down to the fact that it happens when the users password is longer than 64 characters.

If this is a limitation that's unable to be overcome, it would be nice to have a warning on the registration page that states that passwords cannot be over 64 characters, or just prevent passwords from being saved if they exceed that length.

Gitea Version

1.22.0 built with GNU Make 4.4.1, go1.22.3 : bindata, timetzdata, sqlite, sqlite_unlock_notify

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No logs other than "invalid password for 'username'"

Screenshots

No response

Git Version

No response

Operating System

Arch Linux (Zen Kernel)

How are you running Gitea?

Inside the official Docker container

Database

MySQL/MariaDB

eeyrjmr commented 2 months ago

odd, the limit elsewhere is 255

https://github.com/go-gitea/gitea/blob/e0c27e59968f0ecc5e433617f303520fb765b06a/services/forms/admin.go#L22

yp05327 commented 2 months ago

I tried a password like aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa which has 80 characters. And it works when login again several times. So I think the root reason maybe not the length of the password.

There are some things to confirm:

odd, the limit elsewhere is 255

password would not be saved directly in DB, so the limitation of this field is not related to the real length of the password.

eeyrjmr commented 2 months ago

Please confirm whether the user is unable to login via the webUI or via git interaction (push/pull...)

The webUI would be ... ok and might point towards some password manager (built into chrome for instance) git ... it could be the credential's manager

BOTH should have prompted when there was a password change but there is always the possibility it didn't

Frerduro commented 1 month ago

I was the end user; I use Bitwarden as my password manager. I changed my password to a 128-char password generated by Bitwarden, saved it to Bitwarden, and copied it to Notepad to ensure I wasn't losing it. It let me onto the site after changing my password. I logged out and logged back in, and it denied my password. I tried password reset via email four times, We tried deleting and recreating my account twice and despite making sure I saved the password it refused to let me login with a password until I dropped the length to 64. One of the passwords tried was b7nwOFv8oX3styrbkwQOimrJI2iIu22ZrUn2ofXCBskDGPsn6PXZBj68FtO2Mv6Rikqv4TMKXnn5fa5tNRCUUS0fOpVPam5uEYmeRodH2RIW5mQSOzlvuY0E6e0PvJym and it didn't work. But cutting it in half as the new password and it worked fine. (Not a password being used anymore just an example from the past)

VetheonGames commented 2 weeks ago

Any word on what we can do to help investigate this? Apologies for my lack of response, I don't check Github often since switching all my stuff over to my private Gitea instance lol

eeyrjmr commented 2 weeks ago

Any word on what we can do to help investigate this? Apologies for my lack of response, I don't check Github often since switching all my stuff over to my private Gitea instance lol

good question... So. I too that "example" password from @Frerduro ( b7nwOFv8oX3styrbkwQOimrJI2iIu22ZrUn2ofXCBskDGPsn6PXZBj68FtO2Mv6Rikqv4TMKXnn5fa5tNRCUUS0fOpVPam5uEYmeRodH2RIW5mQSOzlvuY0E6e0PvJym ) and made a test user and when logged in 1st time changed the password to this example. it worked and I can login and logout.

This is with gitea 1.22.2 (gentoo, local compile)

You have a password manager in-use here so you need to determine whether this is gitea or the password manager or the browser...

VetheonGames commented 2 weeks ago

Any word on what we can do to help investigate this? Apologies for my lack of response, I don't check Github often since switching all my stuff over to my private Gitea instance lol

good question... So. I too that "example" password from @Frerduro ( b7nwOFv8oX3styrbkwQOimrJI2iIu22ZrUn2ofXCBskDGPsn6PXZBj68FtO2Mv6Rikqv4TMKXnn5fa5tNRCUUS0fOpVPam5uEYmeRodH2RIW5mQSOzlvuY0E6e0PvJym ) and made a test user and when logged in 1st time changed the password to this example. it worked and I can login and logout.

This is with gitea 1.22.2 (gentoo, local compile)

You have a password manager in-use here so you need to determine whether this is gitea or the password manager or the browser...

Well the password manager is just what generated the password for us.

We copy pasted it from notepad, and he even tried manually entering it. If you can use it without issue, perhaps the issue is with my database setup or something?

I know I've had strange issues with my personal gitea instance not behaving normally for unknown nebulous reasons before.

wxiaoguang commented 2 weeks ago

I setup a 1.22 instance, and tested your password b7nwOFv8oX3styrbkwQOimrJI2iIu22ZrUn2ofXCBskDGPsn6PXZBj68FtO2Mv6Rikqv4TMKXnn5fa5tNRCUUS0fOpVPam5uEYmeRodH2RIW5mQSOzlvuY0E6e0PvJym.

It does work. If you believe there is a problem which should be resolved, maybe a reproducible setup with detailed steps is needed. For example:

  1. Write a docker compose: ....
  2. Do docker compose up, and install
  3. Change app.ini to ....
  4. Restart docker compose
  5. Access 'http://localhost:3000/....`
  6. Register .....
  7. Set password ...
  8. Login with password .....

If and only if others could reproduce, the problem might be debugged.

image

wxiaoguang commented 2 weeks ago

We copy pasted it from notepad, and he even tried manually entering it. If you can use it without issue, perhaps the issue is with my database setup or something?

Maybe you could also check your network service, especially some firewalls and reverse proxy (security) settings.

yp05327 commented 2 weeks ago

If you don't use Bitwarden, it works? I also tried this password, it works when I input it manually. Maybe others also tried it without password manager, and I guess maybe it is related to Bitwarden.