From 735f69642c3b3d7231ea59fda2d2ccedfd4173cd Mon Sep 17 00:00:00 2001
From: Alex Bogdanovski <alex@erudika.com>
Date: Wed, 18 May 2022 16:30:24 +0300
Subject: [PATCH] added max length for user passwords

---
 para-core/src/main/java/com/erudika/para/core/User.java   | 8 +++++++-
 .../com/erudika/para/core/validation/ValidationUtils.java | 7 +++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/para-core/src/main/java/com/erudika/para/core/User.java b/para-core/src/main/java/com/erudika/para/core/User.java
index 07b1406d..ce0adc5b 100644
--- a/para-core/src/main/java/com/erudika/para/core/User.java
+++ b/para-core/src/main/java/com/erudika/para/core/User.java
@@ -32,6 +32,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Objects;
+import javax.validation.constraints.Max;
 import javax.validation.constraints.NotBlank;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
@@ -45,6 +46,11 @@ public class User implements ParaObject {
 	private static final long serialVersionUID = 1L;
 	private static Logger logger = LoggerFactory.getLogger(User.class);
 
+	/**
+	 * Maximum password length.
+	 */
+	public static final int MAX_PASSWORD_LENGTH = 500;
+
 	@Stored @Locked private String id;
 	@Stored @Locked private Long timestamp;
 	@Stored @Locked private String type;
@@ -74,7 +80,7 @@ public class User implements ParaObject {
 	@Stored private String idpAccessToken;
 	@Stored private String idpRefreshToken;
 
-	private transient String password;
+	private transient @Max(MAX_PASSWORD_LENGTH) String password;
 
 	/**
 	 * No-args constructor.
diff --git a/para-core/src/main/java/com/erudika/para/core/validation/ValidationUtils.java b/para-core/src/main/java/com/erudika/para/core/validation/ValidationUtils.java
index 5a2eb201..10a3dc20 100644
--- a/para-core/src/main/java/com/erudika/para/core/validation/ValidationUtils.java
+++ b/para-core/src/main/java/com/erudika/para/core/validation/ValidationUtils.java
@@ -17,12 +17,13 @@
  */
 package com.erudika.para.core.validation;
 
-import com.erudika.para.core.annotations.Email;
 import com.erudika.para.core.App;
 import com.erudika.para.core.ParaObject;
-import com.erudika.para.core.utils.ParaObjectUtils;
 import com.erudika.para.core.Sysprop;
+import com.erudika.para.core.User;
+import com.erudika.para.core.annotations.Email;
 import com.erudika.para.core.utils.Config;
+import com.erudika.para.core.utils.ParaObjectUtils;
 import com.erudika.para.core.utils.Utils;
 import static com.erudika.para.core.validation.Constraint.digits;
 import static com.erudika.para.core.validation.Constraint.email;
@@ -260,6 +261,8 @@ private static boolean isValidSimpleConstraint(String cName, String field, Objec
 					}
 				}
 			}
+			CORE_CONSTRAINTS.get(Utils.type(User.class)).put("password",
+					Collections.singletonMap("max", Constraint.max(User.MAX_PASSWORD_LENGTH).getPayload()));
 		}
 		return Collections.unmodifiableMap(CORE_CONSTRAINTS);
 	}