Merge pull request #311 from SpiderOak/BAC-3951-check-lengths

Expected bcrypt hash
SpiderOak · Sep 10, 2018 · 8710c6a · 8710c6a
2 parents 7aabef5 + aaa47d5
commit 8710c6a
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/django/apps/openmanage/views.py b/django/apps/openmanage/views.py
@@ -28,6 +28,8 @@
 CHALLENGE_EXPIRATION_TIME = 60
 KEYLEN = nacl.secret.SecretBox.KEY_SIZE
 ITERATIONS = 100    # from py-bcrypt readme, maybe need to tweak this
+BCRYPT_HASH_LENGTH = 60
+
 
 def setup_logging():
     handler = logging.StreamHandler()
@@ -253,10 +255,8 @@ def password(request):
         except KeyError:
             log.error("Got bad request. Missing arguments.")
             return HttpResponse()
-        if len(new_password) < minimum_password_length:
-            message = 'Password too short. It should be at least {} characters long'.format(
-                minimum_password_length
-            )
+        if len(new_password) != BCRYPT_HASH_LENGTH:
+            message = 'Expected bcrypt hash'
             log.warning(message)
             return HttpResponseBadRequest(
                 content=message,