search

zenstackhq / zenstack

Fullstack TypeScript toolkit that enhances Prisma ORM with flexible Authorization layer for RBAC/ABAC/PBAC/ReBAC, offering auto-generated type-safe APIs and frontend hooks.
https://zenstack.dev
MIT License
2.05k stars 87 forks source link

Password length requirements being applied to hashed password #1502

Closed ranjez closed 2 months ago

ranjez commented 3 months ago

Description and expected behavior password String @length(min: 8, max: 32) @password @omit

When I do the above and pass an 8 character long password the validation seems to happen against the hashed password as I get the following error back from the API.

I expect the validation on length to be done on unhashed password. This currently prevents any server side validation being applied to a length of a password and without this validation it allows an empty password to be created with an account

Screenshots

image

Environment (please complete the following information):

Additional context Ideally this validation can just be applied to the @password field as another param called minLength

ymc9 commented 3 months ago

Hi @ranjez , yes, it's a known problem that @length doesn't play well with @password. I'll think about how to resolve this problem.