Skip to content

Commit

Permalink
fix: ignore commata in HIBP response
Browse files Browse the repository at this point in the history
  • Loading branch information
aeneasr committed Aug 26, 2022
1 parent d56586b commit 0856bd7
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
2 changes: 1 addition & 1 deletion selfservice/strategy/password/validator.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ func (s *DefaultPasswordValidator) fetch(hpw []byte, apiDNSName string) (int64,
// See https://github.com/ory/kratos/issues/2145
count := int64(1)
if len(result) == 2 {
count, err = strconv.ParseInt(result[1], 10, 64)
count, err = strconv.ParseInt(strings.ReplaceAll(result[1], ",", ""), 10, 64)
if err != nil {
return 0, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Expected password hash to contain a count formatted as int but got: %s", result[1]))
}
Expand Down
12 changes: 12 additions & 0 deletions selfservice/strategy/password/validator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,18 @@ func TestDefaultPasswordValidationStrategy(t *testing.T) {
)
},
},
{
name: "contains less than maxBreachesThreshold with a leading comma",
res: func(t *testing.T, hash string) string {
return fmt.Sprintf(
"%s:%d\n%s:0,%d",
hash,
conf.PasswordPolicyConfig(ctx).MaxBreaches,
hashPw(t, randomPassword(t)),
conf.PasswordPolicyConfig(ctx).MaxBreaches+1,
)
},
},
{
name: "contains more than maxBreachesThreshold",
res: func(t *testing.T, hash string) string {
Expand Down

0 comments on commit 0856bd7

Please sign in to comment.