From 0856bd719b7e06a6d2163bf428ff6513d86376db Mon Sep 17 00:00:00 2001
From: aeneasr <3372410+aeneasr@users.noreply.github.com>
Date: Fri, 26 Aug 2022 12:44:29 +0200
Subject: [PATCH] fix: ignore commata in HIBP response

---
 selfservice/strategy/password/validator.go      |  2 +-
 selfservice/strategy/password/validator_test.go | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/selfservice/strategy/password/validator.go b/selfservice/strategy/password/validator.go
index 342316909530..23b8ffa0b1e1 100644
--- a/selfservice/strategy/password/validator.go
+++ b/selfservice/strategy/password/validator.go
@@ -138,7 +138,7 @@ func (s *DefaultPasswordValidator) fetch(hpw []byte, apiDNSName string) (int64,
 		// See https://github.com/ory/kratos/issues/2145
 		count := int64(1)
 		if len(result) == 2 {
-			count, err = strconv.ParseInt(result[1], 10, 64)
+			count, err = strconv.ParseInt(strings.ReplaceAll(result[1], ",", ""), 10, 64)
 			if err != nil {
 				return 0, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Expected password hash to contain a count formatted as int but got: %s", result[1]))
 			}
diff --git a/selfservice/strategy/password/validator_test.go b/selfservice/strategy/password/validator_test.go
index 8e71ec476b18..36d0e28b296a 100644
--- a/selfservice/strategy/password/validator_test.go
+++ b/selfservice/strategy/password/validator_test.go
@@ -204,6 +204,18 @@ func TestDefaultPasswordValidationStrategy(t *testing.T) {
 					)
 				},
 			},
+			{
+				name: "contains less than maxBreachesThreshold with a leading comma",
+				res: func(t *testing.T, hash string) string {
+					return fmt.Sprintf(
+						"%s:%d\n%s:0,%d",
+						hash,
+						conf.PasswordPolicyConfig(ctx).MaxBreaches,
+						hashPw(t, randomPassword(t)),
+						conf.PasswordPolicyConfig(ctx).MaxBreaches+1,
+					)
+				},
+			},
 			{
 				name: "contains more than maxBreachesThreshold",
 				res: func(t *testing.T, hash string) string {