SHARD-8982: limit password length (#72)

* feat: limit password length

* feat: Add description

* fix: password authentication

api/auth.ts

@@ -6,7 +6,6 @@ import rateLimit from 'express-rate-limit';
 const yaml = require('js-yaml')
 const jwt = require('jsonwebtoken')
 import { doubleCsrfProtection } from './csrf';
-import argon2id from 'argon2';
 
 function isValidSecret(secret: unknown) {
   return typeof secret === 'string' && secret.length >= 32;
@@ -23,9 +22,15 @@ crypto.init('64f152869ca2d473e4ba64ab53f49ccdb2edae22da192c126850970e788af347');
 
 export const loginHandler = [doubleCsrfProtection, async (req: Request, res: Response) => {
   const password = req.body && req.body.password
-  const hashedPass = await argon2id.hash(password);
+
+  // Make sure password is defined and is a string
+  if (!password || typeof password !== 'string') {
+    res.status(400).send({ error: 'Invalid password' })
+    return
+  }
+
   // Exec the CLI validator login command
-  execFile('/usr/local/bin/operator-cli', ['gui', 'login', hashedPass], (err, stdout, stderr) => {
+  execFile('/usr/local/bin/operator-cli', ['gui', 'login', password], (err, stdout, stderr) => {
     if (err) {
       cliStderrResponse(res, 'Unable to check login', err.message)
       return

api/handlers/node.ts

@@ -15,9 +15,7 @@ import path from 'path';
 import { existsSync } from 'fs';
 import asyncRouteHandler from './async-router-handler';
 import fs from 'fs';
-import * as crypto from '@shardus/crypto-utils';
 import { doubleCsrfProtection } from '../csrf';
-import argon2id from 'argon2';
 
 const yaml = require('js-yaml')
 
@@ -170,8 +168,11 @@ export default function configureNodeHandlers(apiRouter: Router) {
       newPassword: string;
     }>, res: Response) => {
       const password = req.body && req.body.currentPassword
-      const hashedPass = await argon2id.hash(password);
-      const stdout = execFileSync('/usr/local/bin/operator-cli', ['gui', 'login', hashedPass], { encoding: 'utf8' });
+      if (!password || typeof password !== 'string') {
+        badRequestResponse(res, 'Invalid password');
+        return;
+      }
+      const stdout = execFileSync('/usr/local/bin/operator-cli', ['gui', 'login', password], { encoding: 'utf8' });
       const cliResponse = yaml.load(stdout);
 
       if (cliResponse.login !== 'authorized') {

components/molecules/PasswordResetForm.tsx

@@ -14,6 +14,7 @@ type FormData = {
 function validPassword(password: string) {
   return (
     password.length >= 8 &&
+    password.length <= 128 &&
     /[A-Z]/.test(password) &&
     /[a-z]/.test(password) &&
     /[0-9]/.test(password) &&
@@ -84,13 +85,11 @@ const PasswordResetForm = () => {
       setError(
         `newPassword`,
         {
-          message:
-            "The password does not meet the requirements!",
+          message: "The password does not meet the requirements!",
         },
         { shouldFocus: true }
       );
-    }
-    else if (data.currentPassword == data.newPassword) {
+    } else if (data.currentPassword == data.newPassword) {
       setError(
         `newPassword`,
         { message: "New password is the same as the current password" },
@@ -105,7 +104,7 @@ const PasswordResetForm = () => {
     } else {
       await changePassword(data.currentPassword, data.newPassword);
       resetForm();
-      setIsPasswordReset(true);  // Show success alert
+      setIsPasswordReset(true); // Show success alert
 
       // Hide the alert after 3 seconds
       setTimeout(() => {
@@ -118,8 +117,10 @@ const PasswordResetForm = () => {
     <div className="flex flex-col gap-y-2">
       <span className="font-semibold">Password Reset</span>
       <p className="text-sm text-gray-500">
-        Password requirements: min 8 characters, at least 1 lower case letter, at least 1 upper case letter, at least 1
-        number, at least 1 special character (<span className="text-sm text-gray-400">{"!@#$%^&*()_+*$"}</span>)
+        Password requirements: min 8 characters, max 128 characters, at least 1
+        lower case letter, at least 1 upper case letter, at least 1 number, at
+        least 1 special character (
+        <span className="text-sm text-gray-400">{"!@#$%^&*()_+*$"}</span>)
       </p>
       <Card>
         <form
@@ -130,7 +131,10 @@ const PasswordResetForm = () => {
           {isPasswordReset && (
             <div className="bg-green-100 border border-green-400 text-green-700 px-4 py-3 rounded relative mb-4">
               <strong className="font-bold">Success!</strong>
-              <span className="block sm:inline"> Your password has been reset successfully.</span>
+              <span className="block sm:inline">
+                {" "}
+                Your password has been reset successfully.
+              </span>
             </div>
           )}
 

package.json

@@ -13,7 +13,6 @@
     "@rainbow-me/rainbowkit": "1.0.7",
     "@shardus/crypto-utils": "git+https://github.com/shardeum/lib-crypto-utils#v4.1.3",
     "@walletconnect/modal": "^2.6.2",
-    "argon2": "0.41.1",
     "chart.js": "4.3.0",
     "cookie-parser": "^1.4.6",
     "csrf-csrf": "^3.0.6",