fix(otp): respect minimum_password_length when generating dummy password#2503
Open
abhijeet-rane wants to merge 1 commit intosupabase:masterfrom
Open
Conversation
MagicLink (email OTP) and SmsOtp (phone OTP) signup generate a temporary password for new users and then invoke Signup, which validates the password against config.Password.MinLength. The hardcoded lengths (33 and 64) caused a 422 WeakPasswordError whenever GOTRUE_PASSWORD_MIN_LENGTH was configured above those values, even though the caller never supplied a password. Generate a password that is at least config.Password.MinLength, clamped to MaxPasswordLength (72) to stay within bcrypt's limit. Closes supabase#2456 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix.
What is the current behavior?
signInWithOtp({ email })andsignInWithOtp({ phone })return422 Unprocessable Entitywith aWeakPasswordErrorwhenGOTRUE_PASSWORD_MIN_LENGTHis configured above the hardcoded temporary-password lengths (33 for magic link, 64 for SMS OTP), even though the caller never supplies a password.Closes #2456.
Reproduction
minimum_password_length = 100inconfig.tomlunder[auth]enable_signup = trueunder[auth.email]signInWithOtp({ email: "test@example.com" })422 Unprocessable Entitywith"Password should be at least 100 characters"Root cause
Both
MagicLink(email OTP) andSmsOtp(phone OTP) generate a temporary password for new users and then invokeSignup, which callscheckPasswordStrengthand enforcesconfig.Password.MinLength. The generated passwords are hardcoded at 33 and 64 characters respectively, so anyMinLengthabove those values breaks OTP signup.What is the new behavior?
The generated password length is now
min(max(base, config.Password.MinLength), MaxPasswordLength)wherebaseis the previous hardcoded value (33 or 64) andMaxPasswordLengthis the existing 72-char bcrypt ceiling. This preserves existing behavior whenMinLength ≤ baseand satisfies strength validation for realistic higher values.Admin and invite flows (
admin.go,verify.go) also generate temporary passwords but bypasscheckPasswordStrength, so they are unaffected and intentionally not changed.Additional context
TestOtpRespectsMinPasswordLengthininternal/api/otp_test.gomake testpasses locally against Postgres 15 (TestOtp, TestSignup, TestVerify, TestRecover, TestMagicLink, TestPasswordStrengthChecks all green)