Open dkess opened 5 years ago
I'm also not sure what the best practice here is but as far as preventing this error goes it seems to be a problem with the password validation. validate_password
should reject non-ascii characters here, but validate_password
isn't called until the NewAccountRequest
is created, by which point the non-ascii characters have already been passed to encrypt_password
.
Perhaps a short term fix could be to validate the password before creating the NewAccountRequest
and a long term fix could be to change the encoding used for encrypted passwords to something more general like password.encode('base64','strict')
(assuming that no other software requires ascii-only passwords).
You have to be careful with full Unicode passwords since you don't want to allow passwords that users won't be able to type. Unicode is full of surprises and edge cases. For now, let's stick with ASCII and if you want to go beyond that, do some research on the state-of-the-art and implement what's done elsewhere in a separate, future commit.
Tfw no emoji passwords 😭
TIL https://tools.ietf.org/html/rfc8265
E: also I have someone in mind to ask about sources of how to handle Unicode correctly.
Interesting rootspam from last night:
I assume this is from someone trying to use non-ascii character in their password. I am not sure what the best practices for this are, but we should investigate this further and see if we can avoid using the
ascii
encoding.