Set the max limit on password size with some notes about BCrypt usage…

… for clarity. Fixes #691 (#692)
luckyframework · Oct 28, 2021 · 10004ae · 10004ae
1 parent 947dbc3
commit 10004ae
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/src/base_authentication_app_skeleton/src/operations/mixins/password_validations.cr b/src/base_authentication_app_skeleton/src/operations/mixins/password_validations.cr
@@ -6,6 +6,7 @@ module PasswordValidations
   private def run_password_validations
     validate_required password, password_confirmation
     validate_confirmation_of password, with: password_confirmation
-    validate_size_of password, min: 6
+    # 72 is a limitation of BCrypt
+    validate_size_of password, min: 6, max: 72
   end
 end
diff --git a/src/web_app_skeleton/config/authentic.cr b/src/web_app_skeleton/config/authentic.cr
@@ -4,6 +4,7 @@ Authentic.configure do |settings|
   settings.secret_key = Lucky::Server.settings.secret_key_base
 
   unless LuckyEnv.production?
+    # This value can be between 4 and 31
     fastest_encryption_possible = 4
     settings.encryption_cost = fastest_encryption_possible
   end