feat: limit maximum password length

.schemastore/config.schema.json

@@ -1524,6 +1524,13 @@
                       "default": 8,
                       "minimum": 6
                     },
+                    "max_password_length": {
+                      "title": "Maximum Password Length",
+                      "description": "Defines the maximum length of the password.",
+                      "type": "integer",
+                      "default": 1024,
+                      "minimum": 20
+                    },
                     "identifier_similarity_check_enabled": {
                       "title": "Enable password-identifier similarity check",
                       "description": "If set to false the password validation does not check for similarity between the password and the user identifier.",

driver/config/config.go

@@ -179,6 +179,7 @@ const (
 	ViperKeyPasswordHaveIBeenPwnedEnabled                    = "selfservice.methods.password.config.haveibeenpwned_enabled"
 	ViperKeyPasswordMaxBreaches                              = "selfservice.methods.password.config.max_breaches"
 	ViperKeyPasswordMinLength                                = "selfservice.methods.password.config.min_password_length"
+	ViperKeyPasswordMaxLength                                = "selfservice.methods.password.config.max_password_length"
 	ViperKeyPasswordIdentifierSimilarityCheckEnabled         = "selfservice.methods.password.config.identifier_similarity_check_enabled"
 	ViperKeyIgnoreNetworkErrors                              = "selfservice.methods.password.config.ignore_network_errors"
 	ViperKeyTOTPIssuer                                       = "selfservice.methods.totp.config.issuer"
@@ -249,6 +250,7 @@ type (
 		MaxBreaches                      uint   `json:"max_breaches"`
 		IgnoreNetworkErrors              bool   `json:"ignore_network_errors"`
 		MinPasswordLength                uint   `json:"min_password_length"`
+		MaxPasswordLength                uint   `json:"max_password_length"`
 		IdentifierSimilarityCheckEnabled bool   `json:"identifier_similarity_check_enabled"`
 	}
 	Schemas                  []Schema
@@ -1425,6 +1427,7 @@ func (p *Config) PasswordPolicyConfig(ctx context.Context) *PasswordPolicy {
 		MaxBreaches:                      uint(p.GetProvider(ctx).Int(ViperKeyPasswordMaxBreaches)),
 		IgnoreNetworkErrors:              p.GetProvider(ctx).BoolF(ViperKeyIgnoreNetworkErrors, true),
 		MinPasswordLength:                uint(p.GetProvider(ctx).IntF(ViperKeyPasswordMinLength, 8)),
+		MaxPasswordLength:                uint(p.GetProvider(ctx).IntF(ViperKeyPasswordMaxLength, 20)),
 		IdentifierSimilarityCheckEnabled: p.GetProvider(ctx).BoolF(ViperKeyPasswordIdentifierSimilarityCheckEnabled, true),
 	}
 }

driver/config/config_test.go

@@ -212,7 +212,7 @@ func TestViperProvider(t *testing.T) {
 				config  string
 				enabled bool
 			}{
-				{id: "password", enabled: true, config: `{"haveibeenpwned_host":"api.pwnedpasswords.com","haveibeenpwned_enabled":true,"ignore_network_errors":true,"max_breaches":0,"min_password_length":8,"identifier_similarity_check_enabled":true}`},
+				{id: "password", enabled: true, config: `{"haveibeenpwned_host":"api.pwnedpasswords.com","haveibeenpwned_enabled":true,"ignore_network_errors":true,"max_breaches":0,"min_password_length":8,"max_password_length":1024,"identifier_similarity_check_enabled":true}`},
 				{id: "oidc", enabled: true, config: `{"providers":[{"client_id":"a","client_secret":"b","id":"github","provider":"github","mapper_url":"http://test.kratos.ory.sh/default-identity.schema.json"}]}`},
 				{id: "totp", enabled: true, config: `{"issuer":"issuer.ory.sh"}`},
 			} {

embedx/config.schema.json

@@ -1524,6 +1524,13 @@
                       "default": 8,
                       "minimum": 6
                     },
+                    "max_password_length": {
+                      "title": "Maximum Password Length",
+                      "description": "Defines the maximum length of the password.",
+                      "type": "integer",
+                      "default": 1024,
+                      "minimum": 20
+                    },
                     "identifier_similarity_check_enabled": {
                       "title": "Enable password-identifier similarity check",
                       "description": "If set to false the password validation does not check for similarity between the password and the user identifier.",

internal/client-go/go.sum

@@ -4,6 +4,7 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

selfservice/strategy/oidc/.snapshots/TestSettingsStrategy-suite=link-case=should_link_a_connection-flow=fetch.json

@@ -60,6 +60,8 @@
   {
     "attributes": {
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "name": "password",
       "node_type": "input",

selfservice/strategy/oidc/.snapshots/TestSettingsStrategy-suite=link-case=should_link_a_connection-flow=original.json

@@ -60,6 +60,8 @@
   {
     "attributes": {
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "name": "password",
       "node_type": "input",

selfservice/strategy/oidc/.snapshots/TestSettingsStrategy-suite=link-case=should_link_a_connection-flow=response.json

@@ -65,6 +65,8 @@
       "type": "password",
       "required": true,
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "node_type": "input"
     },

selfservice/strategy/oidc/.snapshots/TestSettingsStrategy-suite=link-case=should_link_a_connection_even_if_user_does_not_have_oidc_credentials_yet.json

@@ -60,6 +60,8 @@
   {
     "attributes": {
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "name": "password",
       "node_type": "input",

selfservice/strategy/oidc/.snapshots/TestSettingsStrategy-suite=link-case=should_not_be_able_to_link_a_connection_which_already_exists.json

@@ -65,6 +65,8 @@
       "type": "password",
       "required": true,
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "node_type": "input"
     },

selfservice/strategy/oidc/.snapshots/TestSettingsStrategy-suite=link-case=should_not_be_able_to_link_an_non-existing_connection.json

@@ -65,6 +65,8 @@
       "type": "password",
       "required": true,
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "node_type": "input"
     },

selfservice/strategy/oidc/.snapshots/TestSettingsStrategy-suite=unlink-case=should_not_be_able_to_unlink_the_last_remaining_connection-flow=json.json

@@ -65,6 +65,8 @@
       "type": "password",
       "required": true,
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "node_type": "input"
     },

selfservice/strategy/password/login.go

@@ -69,6 +69,12 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow,
 		return nil, s.handleLoginError(w, r, f, &p, err)
 	}
 
+	// Reduce possibility of DDoS attacks with long password
+	if len([]byte(p.Password)) > int(s.d.Config().PasswordPolicyConfig(r.Context()).MaxPasswordLength) {
+		time.Sleep(x.RandomDelay(s.d.Config().HasherArgon2(r.Context()).ExpectedDuration, s.d.Config().HasherArgon2(r.Context()).ExpectedDeviation))
+		return nil, s.handleLoginError(w, r, f, &p, errors.WithStack(schema.NewInvalidCredentialsError()))
+	}
+
 	i, c, err := s.d.PrivilegedIdentityPool().FindByCredentialsIdentifier(r.Context(), s.ID(), stringsx.Coalesce(p.Identifier, p.LegacyIdentifier))
 	if err != nil {
 		time.Sleep(x.RandomDelay(s.d.Config().HasherArgon2(r.Context()).ExpectedDuration, s.d.Config().HasherArgon2(r.Context()).ExpectedDeviation))
@@ -161,7 +167,7 @@ func (s *Strategy) PopulateLoginMethod(r *http.Request, requestedAAL identity.Au
 	}
 
 	sr.UI.SetCSRF(s.d.GenerateCSRFToken(r))
-	sr.UI.SetNode(NewPasswordNode("password", node.InputAttributeAutocompleteCurrentPassword))
+	sr.UI.SetNode(NewPasswordNode("password", node.InputAttributeAutocompleteCurrentPassword, s.d.Config().PasswordPolicyConfig(r.Context())))
 	sr.UI.GetNodes().Append(node.NewInputField("method", "password", node.PasswordGroup, node.InputAttributeTypeSubmit).WithMetaLabel(text.NewInfoLogin()))
 
 	return nil

selfservice/strategy/password/nodes.go

@@ -4,15 +4,18 @@
 package password
 
 import (
+	"github.com/ory/kratos/driver/config"
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/ui/node"
 )
 
-func NewPasswordNode(name string, autocomplete node.UiNodeInputAttributeAutocomplete) *node.Node {
+func NewPasswordNode(name string, autocomplete node.UiNodeInputAttributeAutocomplete, passwordPolicy *config.PasswordPolicy) *node.Node {
 	return node.NewInputField(name, nil, node.PasswordGroup,
 		node.InputAttributeTypePassword,
 		node.WithRequiredInputAttribute,
 		node.WithInputAttributes(func(a *node.InputAttributes) {
+			a.MinLength = passwordPolicy.MinPasswordLength
+			a.MaxLength = passwordPolicy.MaxPasswordLength
 			a.Autocomplete = autocomplete
 		})).
 		WithMetaLabel(text.NewInfoNodeInputPassword())

selfservice/strategy/password/registration.go

@@ -188,7 +188,7 @@ func (s *Strategy) PopulateRegistrationMethod(r *http.Request, f *registration.F
 	}
 
 	f.UI.SetCSRF(s.d.GenerateCSRFToken(r))
-	f.UI.Nodes.Upsert(NewPasswordNode("password", node.InputAttributeAutocompleteNewPassword))
+	f.UI.Nodes.Upsert(NewPasswordNode("password", node.InputAttributeAutocompleteNewPassword, s.d.Config().PasswordPolicyConfig(r.Context())))
 	f.UI.Nodes.Append(node.NewInputField("method", "password", node.PasswordGroup, node.InputAttributeTypeSubmit).WithMetaLabel(text.NewInfoRegistration()))
 
 	return nil

selfservice/strategy/password/settings.go

@@ -169,7 +169,7 @@ func (s *Strategy) continueSettingsFlow(
 
 func (s *Strategy) PopulateSettingsMethod(r *http.Request, _ *identity.Identity, f *settings.Flow) error {
 	f.UI.SetCSRF(s.d.GenerateCSRFToken(r))
-	f.UI.Nodes.Upsert(NewPasswordNode("password", node.InputAttributeAutocompleteNewPassword).WithMetaLabel(text.NewInfoNodeInputPassword()))
+	f.UI.Nodes.Upsert(NewPasswordNode("password", node.InputAttributeAutocompleteNewPassword, s.d.Config().PasswordPolicyConfig(r.Context())).WithMetaLabel(text.NewInfoNodeInputPassword()))
 	f.UI.Nodes.Append(node.NewInputField("method", "password", node.PasswordGroup, node.InputAttributeTypeSubmit).WithMetaLabel(text.NewInfoNodeLabelSave()))
 
 	return nil

selfservice/strategy/password/validator.go

@@ -184,6 +184,10 @@ func (s *DefaultPasswordValidator) validate(ctx context.Context, identifier, pas
 		return text.NewErrorValidationPasswordMinLength(int(passwordPolicyConfig.MinPasswordLength), len(password))
 	}
 
+	if len(password) > int(passwordPolicyConfig.MaxPasswordLength) {
+		return errors.Errorf("password length cannot exceed %d characters", passwordPolicyConfig.MaxPasswordLength)
+	}
+
 	if passwordPolicyConfig.IdentifierSimilarityCheckEnabled && len(identifier) > 0 {
 		compIdentifier, compPassword := strings.ToLower(identifier), strings.ToLower(password)
 		dist := levenshtein.Distance(compIdentifier, compPassword)

selfservice/strategy/profile/.snapshots/TestStrategyTraits-description=hydrate_the_proper_fields-type=api#01.json

@@ -113,6 +113,8 @@
     {
       "attributes": {
         "autocomplete": "new-password",
+        "minlength": 8,
+        "maxlength": 1024,
         "disabled": false,
         "name": "password",
         "node_type": "input",

selfservice/strategy/profile/.snapshots/TestStrategyTraits-description=hydrate_the_proper_fields-type=api.json

@@ -113,6 +113,8 @@
     {
       "attributes": {
         "autocomplete": "new-password",
+        "minlength": 8,
+        "maxlength": 1024,
         "disabled": false,
         "name": "password",
         "node_type": "input",

selfservice/strategy/profile/.snapshots/TestStrategyTraits-description=hydrate_the_proper_fields-type=browser.json

@@ -113,6 +113,8 @@
     {
       "attributes": {
         "autocomplete": "new-password",
+        "minlength": 8,
+        "maxlength": 1024,
         "disabled": false,
         "name": "password",
         "node_type": "input",

selfservice/strategy/webauthn/.snapshots/TestRegistration-case=webauthn_button_does_not_exist_when_passwordless_is_disabled-browser.json

@@ -28,6 +28,8 @@
   {
     "attributes": {
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "name": "password",
       "node_type": "input",

selfservice/strategy/webauthn/.snapshots/TestRegistration-case=webauthn_button_does_not_exist_when_passwordless_is_disabled-spa.json

@@ -28,6 +28,8 @@
   {
     "attributes": {
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "name": "password",
       "node_type": "input",

selfservice/strategy/webauthn/.snapshots/TestRegistration-case=webauthn_button_exists-browser.json

@@ -107,6 +107,8 @@
   {
     "attributes": {
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "name": "password",
       "node_type": "input",

selfservice/strategy/webauthn/.snapshots/TestRegistration-case=webauthn_button_exists-spa.json

@@ -107,6 +107,8 @@
   {
     "attributes": {
       "autocomplete": "new-password",
+      "minlength": 8,
+      "maxlength": 1024,
       "disabled": false,
       "name": "password",
       "node_type": "input",

test/e2e/cypress/support/config.d.ts

@@ -139,6 +139,10 @@ export type IgnoreLookupNetworkErrors = boolean
  * Defines the minimum length of the password.
  */
 export type MinimumPasswordLength = number
+/**
+ * Defines the maximum length of the password.
+ */
+export type MaximumPasswordLength = number
 /**
  * If set to false the password validation does not check for similarity between the password and the user identifier.
  */
@@ -875,6 +879,7 @@ export interface PasswordConfiguration {
   max_breaches?: AllowPasswordBreaches
   ignore_network_errors?: IgnoreLookupNetworkErrors
   min_password_length?: MinimumPasswordLength
+  max_password_length?: MaximumPasswordLength
   identifier_similarity_check_enabled?: EnablePasswordIdentifierSimilarityCheck
 }
 export interface TOTPConfiguration {

ui/node/attributes.go

@@ -78,6 +78,12 @@ type InputAttributes struct {
 	// The autocomplete attribute for the input.
 	Autocomplete UiNodeInputAttributeAutocomplete `json:"autocomplete,omitempty"`
 
+	// The minlength attribute for the input.
+	MinLength uint `json:"minlength,omitempty"`
+
+	// The maxlength attribute for the input.
+	MaxLength uint `json:"maxlength,omitempty"`
+
 	// The input's label text.
 	Label *text.Message `json:"label,omitempty"`
 

ui/node/fixtures/sort/expected/1.json

@@ -85,6 +85,8 @@
     "attributes": {
       "name": "password",
       "type": "password",
+      "minlength": 8,
+      "maxlength": 1024,
       "required": true,
       "disabled": false,
       "node_type": "input"

ui/node/fixtures/sort/expected/2.json

@@ -83,6 +83,8 @@
     "attributes": {
       "name": "password",
       "type": "password",
+      "minlength": 8,
+      "maxlength": 1024,
       "required": true,
       "disabled": false,
       "node_type": "input"

ui/node/fixtures/sort/expected/4.json

@@ -63,6 +63,8 @@
     "attributes": {
       "name": "password",
       "type": "password",
+      "minlength": 8,
+      "maxlength": 1024,
       "required": true,
       "disabled": false,
       "node_type": "input"

ui/node/fixtures/sort/input/1.json

@@ -84,6 +84,8 @@
     "attributes": {
       "name": "password",
       "type": "password",
+      "minlength": 8,
+      "maxlength": 1024,
       "required": true,
       "disabled": false
     },

ui/node/fixtures/sort/input/2.json

@@ -16,6 +16,8 @@
     "attributes": {
       "name": "password",
       "type": "password",
+      "minlength": 8,
+      "maxlength": 1024,
       "required": true,
       "disabled": false
     },

ui/node/fixtures/sort/input/4.json

@@ -57,6 +57,8 @@
     "attributes": {
       "disabled": false,
       "name": "password",
+      "minlength": 8,
+      "maxlength": 1024,
       "required": true,
       "type": "password"
     },