Password is too long

[mrgohin]

Steps to Reproduce

1. Got to https://your-instance/launchpad
2. Enter an email and password
3. Make sure you have no idea what is the maximum length of the password field

Expected Behaviour

Choose a password with maximum length of X and use only following character Y

Observed Behaviour

Context

Create an admin user

Technical Info

• URL:
• Browser Name and version: unimportant
• Operating System and version (desktop or mobile): unimportant
• Signed in as: unimportant
• Project and/or file: unimportant

Analysis

• Created an issue for improvement
• Probably the answer:

  overleaf/services/web/app/src/Features/Authentication/AuthenticationManager.js

  Lines 42 to 51 in a722ca9

  	function _validatePasswordNotTooLong(password) {
  	// bcrypt has a hard limit of 72 characters.
  	if (password.length > 72) {
  	return new InvalidPasswordError({
  	message: 'password is too long',
  	info: { code: 'too_long' },
  	})
  	}
  	return null
  	}

[das7pad]

Hello,

Thank you for your feedback. We are using bcrypt for protecting user passwords. As you might have spotted in the code snippet, bcrypt has a limit of 72 character for its input.
We have considered limiting the length of the HTML input field, but ultimately decided against it as the user feedback for entering too long values into fields in not very user friendly in all browsers. Notably, users (and password managers) may "think" that they submitted a very long password, but in fact only a prefix was accepted. The server-side check is a good compromise here.

Greetings,
Jakob