fix: ignore commata in HIBP response

ory · Aug 26, 2022 · 0856bd7 · 0856bd7
1 parent d56586b
commit 0856bd7
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/selfservice/strategy/password/validator.go b/selfservice/strategy/password/validator.go
@@ -138,7 +138,7 @@ func (s *DefaultPasswordValidator) fetch(hpw []byte, apiDNSName string) (int64,
 		// See https://github.com/ory/kratos/issues/2145
 		count := int64(1)
 		if len(result) == 2 {
-			count, err = strconv.ParseInt(result[1], 10, 64)
+			count, err = strconv.ParseInt(strings.ReplaceAll(result[1], ",", ""), 10, 64)
 			if err != nil {
 				return 0, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Expected password hash to contain a count formatted as int but got: %s", result[1]))
 			}

diff --git a/selfservice/strategy/password/validator_test.go b/selfservice/strategy/password/validator_test.go
@@ -204,6 +204,18 @@ func TestDefaultPasswordValidationStrategy(t *testing.T) {
 					)
 				},
 			},
+			{
+				name: "contains less than maxBreachesThreshold with a leading comma",
+				res: func(t *testing.T, hash string) string {
+					return fmt.Sprintf(
+						"%s:%d\n%s:0,%d",
+						hash,
+						conf.PasswordPolicyConfig(ctx).MaxBreaches,
+						hashPw(t, randomPassword(t)),
+						conf.PasswordPolicyConfig(ctx).MaxBreaches+1,
+					)
+				},
+			},
 			{
 				name: "contains more than maxBreachesThreshold",
 				res: func(t *testing.T, hash string) string {