Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

breakfix: respect password policy from users.json #338

Open
tribor opened this issue May 23, 2024 · 2 comments
Open

breakfix: respect password policy from users.json #338

tribor opened this issue May 23, 2024 · 2 comments

Comments

@tribor
Copy link

tribor commented May 23, 2024

  • I changed the settings in the users.json to acceppt one-character-passwords (in combination with MFA)
  • reloaded Caddy
  • in the UI (User Dashboard) I tried then to update my password to a password with only one character. An error occurs
    The password is non compliant. It should contain 8-254 characters

This seems to be hardcoded in the UI, because the min_length and max_length in users.json are set to 1 and 128

Configuration
users.json:

{
  "version": "1.1.4",
  "policy": {
    "password": {
      "keep_versions": 2,
      "min_length": 1,
      "max_length": 128,
      "require_uppercase": false,
      "require_lowercase": false,
      "require_number": false,
      "require_non_alpha_numeric": false,
      "block_reuse": false,
      "block_password_change": false
    },
    "user": {
      "min_length": 3,
      "max_length": 50,
      "allow_non_alpha_numeric": false,
      "allow_uppercase": false
    }
  },
[..]

Version Information

http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

-> The settings in the users.json should allow me so set this short password.

In general, the settings of the file and the user dashbaords should match. The check during input in the UI should therefore use the corresponding values of the file as threshold values.

In addition, it would be useful if the UI had a section for managing the password policy

@greenpau
Copy link
Owner

@tribor , I will soon begin the redesign of users database. Will take this into account. Thank you for reporting this!

@tribor
Copy link
Author

tribor commented Oct 21, 2024

thanks for taking the time to look at it. do you have any idea when it will happen?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants