diff --git a/selfservice/strategy/password/validator.go b/selfservice/strategy/password/validator.go index 342316909530..23b8ffa0b1e1 100644 --- a/selfservice/strategy/password/validator.go +++ b/selfservice/strategy/password/validator.go @@ -138,7 +138,7 @@ func (s *DefaultPasswordValidator) fetch(hpw []byte, apiDNSName string) (int64, // See https://github.com/ory/kratos/issues/2145 count := int64(1) if len(result) == 2 { - count, err = strconv.ParseInt(result[1], 10, 64) + count, err = strconv.ParseInt(strings.ReplaceAll(result[1], ",", ""), 10, 64) if err != nil { return 0, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Expected password hash to contain a count formatted as int but got: %s", result[1])) } diff --git a/selfservice/strategy/password/validator_test.go b/selfservice/strategy/password/validator_test.go index 8e71ec476b18..36d0e28b296a 100644 --- a/selfservice/strategy/password/validator_test.go +++ b/selfservice/strategy/password/validator_test.go @@ -204,6 +204,18 @@ func TestDefaultPasswordValidationStrategy(t *testing.T) { ) }, }, + { + name: "contains less than maxBreachesThreshold with a leading comma", + res: func(t *testing.T, hash string) string { + return fmt.Sprintf( + "%s:%d\n%s:0,%d", + hash, + conf.PasswordPolicyConfig(ctx).MaxBreaches, + hashPw(t, randomPassword(t)), + conf.PasswordPolicyConfig(ctx).MaxBreaches+1, + ) + }, + }, { name: "contains more than maxBreachesThreshold", res: func(t *testing.T, hash string) string {