coder · defelmnq · Nov 5, 2024 · Oct 18, 2024 · Oct 18, 2024 · Oct 22, 2024
diff --git a/coderd/userpassword/userpassword.go b/coderd/userpassword/userpassword.go
@@ -10,7 +10,6 @@ import (
 	"strconv"
 	"strings"
 
-	passwordvalidator "github.com/wagslane/go-password-validator"
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
@@ -138,10 +137,8 @@ func hashWithSaltAndIter(password string, salt []byte, iter int) string {
 // It returns properly formatted errors for detailed form validation on the client.
 func Validate(password string) error {
 	// Ensure passwords are secure enough!
-	// See: https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
-	err := passwordvalidator.Validate(password, 52)
-	if err != nil {
-		return err
+	if len(password) < 6 {
+		return xerrors.Errorf("password must be at least %d characters", 6)
 	}
 	if len(password) > 64 {
 		return xerrors.Errorf("password must be no more than %d characters", 64)

diff --git a/coderd/userpassword/userpassword_test.go b/coderd/userpassword/userpassword_test.go
@@ -5,6 +5,7 @@
 package userpassword_test
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -14,6 +15,32 @@ import (
 
 func TestUserPassword(t *testing.T) {
 	t.Parallel()
+
+	t.Run("Invalid - Too short password", func(t *testing.T) {
+		t.Parallel()
+		err := userpassword.Validate("pass")
+		require.Error(t, err)
+	})
+
+	t.Run("Invalid - Too long password", func(t *testing.T) {
+		t.Parallel()
+
+		var sb strings.Builder
+		for i := 0; i < 65; i++ {
+			sb.WriteString("a")
+		}
+
+		err := userpassword.Validate(sb.String())
+		require.Error(t, err)
+	})
+
+	t.Run("Ok", func(t *testing.T) {
+		t.Parallel()
+
+		err := userpassword.Validate("CorrectPassword")
+		require.NoError(t, err)
+	})
+
 	t.Run("Legacy", func(t *testing.T) {
 		t.Parallel()
 		// Ensures legacy v1 passwords function for v2.

@@ -30,6 +30,8 @@ export const Language = {
 	usernameLabel: "Username",
 	emailInvalid: "Please enter a valid email address.",
 	emailRequired: "Please enter an email address.",
+	passwordTooShort: "Password should be at least 6 characters.",
+	passwordTooLong: "Password should be no more than 64 characters.",
 	passwordRequired: "Please enter a password.",
 	create: "Create account",
 	welcomeMessage: <>Welcome to Coder</>,
@@ -54,7 +56,10 @@ const validationSchema = Yup.object({
 		.trim()
 		.email(Language.emailInvalid)
 		.required(Language.emailRequired),
-	password: Yup.string().required(Language.passwordRequired),
+	password: Yup.string()
+		.min(6, Language.passwordTooShort)
+		.max(64, Language.passwordTooLong)
+		.required(Language.passwordRequired),
 	username: nameValidator(Language.usernameLabel),
 	trial: Yup.bool(),
 	trial_info: Yup.object().when("trial", {