Disallow too long passwords for users.

Devise default hashing algorithm Bcrypt uses only 72 bytes of data in order to create a password hash. Rest of it is truncated, leading to some potential serious security vulnerabilities.
marcel-strzalka · Oct 5, 2022 · 298e834 · 298e834
1 parent 82449db
commit 298e834
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,9 +1,15 @@
 # frozen_string_literal: true
 
 class User < ApplicationRecord
+  BCRYPT_BYTESIZE_LIMIT = 72
+
   devise :database_authenticatable, :registerable, :recoverable, :rememberable, :validatable
 
   has_many :reservations, dependent: :destroy
 
   enum :role, %i[customer manager]
+
+  validate do
+    errors.add(:base, 'Password is too long') if password.bytesize > BCRYPT_BYTESIZE_LIMIT
+  end
 end