Skip to content
This repository has been archived by the owner on Apr 3, 2019. It is now read-only.

password validation needs to be implemented #416

Closed
edwindotcom opened this issue Dec 11, 2013 · 11 comments
Closed

password validation needs to be implemented #416

edwindotcom opened this issue Dec 11, 2013 · 11 comments
Labels
invalid

Comments

@edwindotcom
Copy link

  1. using client/example.js
    change the password string to empty, int, or really long string
  2. run node client/example.js

actual: it works

expected: should get an error that password must be between ~8-32 characters?
@ckarlof
Copy link
Contributor

ckarlof commented Dec 11, 2013

The auth server doesn't have direct access to the length of your password, so this restriction cannot be enforced in the API. It can be enforced on our clients. Here is a tracking issue for FxA on the Web: mozilla/fxa-content-server#110 I'm not sure if we have corresponding issues for Android and FxOS.

@ckarlof ckarlof closed this as completed Dec 11, 2013
@ckarlof
Copy link
Contributor

ckarlof commented Dec 11, 2013

I don't see anything for Android: https://bugzilla.mozilla.org/showdependencytree.cgi?id=799726&hide_resolved=0

I don't see anything for FxOS: https://bugzilla.mozilla.org/showdependencytree.cgi?id=920135&maxdepth=4&hide_resolved=0

@jbonacci
Copy link

If @edmoz does not get to it soon, I will open a couple a tickets from the above trees...

@edwindotcom
Copy link
Author

@jbonacci I'm thinking we should test this in elm builds now, then log bugs as appropriate.

I'm wonder if the server can get buffer overflow'd with really large pw strings -- i'll try it.

@jbonacci
Copy link

@edmoz are you talking here? or is it here but not supported on desktop/android?

@dannycoates
Copy link
Contributor

@edmoz the server should reject any POST over 1MB

@jbonacci
Copy link

OK, so that is something we can check against the Dev auth server since that is where the ELM builds are pointing.
api-accounts.dev.lcip.org
accounts.dev.lcip.org

@edwindotcom
Copy link
Author

I've been logging in 100s of times with 64k pw and I'm seeing this mem growth. Not sure at what point GC will kick in

start
(op=stat, stat=mem, rss=45584384, heapTotal=33203200, heapUsed=20952016)

(op=stat, stat=mem, rss=73519104, heapTotal=57179904, heapUsed=26711696)
(op=stat, stat=mem, rss=75743232, heapTotal=58199808, heapUsed=24065704)
(op=stat, stat=mem, rss=77176832, heapTotal=58211840, heapUsed=27537384)
~300 logins with 1 user and a 64kb password
(op=stat, stat=mem, rss=79466496, heapTotal=61283584, heapUsed=32244416)

@jbonacci
Copy link

@edmoz where are you capturing those stats?

Looks like a new issue...

Related?
#422

@dannycoates
Copy link
Contributor

I've been logging in 100s of times with 64k pw and I'm seeing this mem growth

which env is this against?

@edwindotcom
Copy link
Author

i'm running master, locally on mac 10.9. Prob should try against a aws as linux handles open files better

rfk pushed a commit that referenced this issue Oct 24, 2018
@vbudhram @vladikoff
feat(hpkp): Add the hpkp headers to all requests (#416) r=vladikoff
6b8a8c8
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dannycoates @jbonacci @ckarlof @edwindotcom