Only check invalid size passwords on register

This commit is contained in:
Omar Roth 2018-11-04 08:30:16 -06:00
parent 7e558c5b1d
commit c912e63fb5

View file

@ -803,17 +803,6 @@ post "/login" do |env|
next templated "error"
end
if password.empty?
error_message = "Password cannot be empty"
next templated "error"
end
# See https://security.stackexchange.com/a/39851
if password.size > 55
error_message = "Password cannot be longer than 55 characters"
next templated "error"
end
if !challenge_response || !token
error_message = "CAPTCHA is a required field"
next templated "error"
@ -856,6 +845,17 @@ post "/login" do |env|
next templated "error"
end
elsif action == "register"
if password.empty?
error_message = "Password cannot be empty"
next templated "error"
end
# See https://security.stackexchange.com/a/39851
if password.size > 55
error_message = "Password cannot be longer than 55 characters"
next templated "error"
end
user = PG_DB.query_one?("SELECT * FROM users WHERE LOWER(email) = LOWER($1) AND password IS NOT NULL", email, as: User)
if user
error_message = "Please sign in"