summaryrefslogtreecommitdiffstats
path: root/src/invidious.cr
diff options
context:
space:
mode:
Diffstat (limited to 'src/invidious.cr')
-rw-r--r--src/invidious.cr26
1 files changed, 14 insertions, 12 deletions
diff --git a/src/invidious.cr b/src/invidious.cr
index a7cd137c..ad4401a7 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -1073,7 +1073,7 @@ post "/login" do |env|
next templated "error"
end
- if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password
+ if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password.byte_slice(0, 55)
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)
@@ -1107,6 +1107,19 @@ post "/login" do |env|
next templated "error"
end
+ if password.empty?
+ error_message = translate(locale, "Password cannot be empty")
+ next templated "error"
+ end
+
+ # See https://security.stackexchange.com/a/39851
+ if password.bytesize > 55
+ error_message = translate(locale, "Password should not be longer than 55 characters")
+ next templated "error"
+ end
+
+ password = password.byte_slice(0, 55)
+
if config.captcha_enabled
captcha_type = env.params.body["captcha_type"]?
answer = env.params.body["answer"]?
@@ -1168,17 +1181,6 @@ post "/login" do |env|
end
end
- if password.empty?
- error_message = translate(locale, "Password cannot be empty")
- next templated "error"
- end
-
- # See https://security.stackexchange.com/a/39851
- if password.size > 55
- error_message = translate(locale, "Password cannot be longer than 55 characters")
- next templated "error"
- end
-
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user, sid = create_user(sid, email, password)
user_array = user.to_a
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-17 20:56:39 +0000