From cabbc8f6a58635bdae4002e6553ebed2206fd17d Mon Sep 17 00:00:00 2001
From: Akshay Vishnoi <akshay.vishnoi@vinsol.com>
Date: Sat, 14 Jun 2014 12:35:31 +0530
Subject: SecurePassword - Validate password must be less than or equal to 72
 See #14591, Reason - BCrypt hash function can handle maximum 72 characters.

---
 activemodel/lib/active_model/secure_password.rb | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'activemodel/lib')

diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
index 4033eb5808..879db59b34 100644
--- a/activemodel/lib/active_model/secure_password.rb
+++ b/activemodel/lib/active_model/secure_password.rb
@@ -2,6 +2,11 @@ module ActiveModel
   module SecurePassword
     extend ActiveSupport::Concern
 
+    # BCrypt hash function can handle maximum 72 characters, and if we pass
+    # password of length more than 72 characters it ignores extra characters.
+    # Hence need to put a restriction on password length.
+    MAX_PASSWORD_LENGTH_ALLOWED = 72
+
     class << self
       attr_accessor :min_cost # :nodoc:
     end
@@ -63,6 +68,7 @@ module ActiveModel
             record.errors.add(:password, :blank) unless record.password_digest.present?
           end
 
+          validates_length_of :password, maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
           validates_confirmation_of :password, if: ->{ password.present? }
         end
 
-- 
cgit v1.2.3