TASK-031: Enforce bcrypt 72-byte password limit

Bcrypt silently truncates passwords at 72 bytes, so passwords longer than 72 characters provide no additional security. This commit enforces the 72-byte maximum across the authentication and setup flows. Changes: - Add max_length=72 to LoginRequest.password and SetupRequest.master_password - Update field validator in SetupRequest to explicitly check max_length - Add comprehensive tests for password length validation (6 new test cases) - Document the 72-byte limitation in Features.md (master password options) - Add new section 12 'Password Hashing' in Backend-Development.md explaining: - The bcrypt truncation behavior - Why the limit is enforced - The validation flow from frontend to backend - What happens when passwords exceed the limit All existing tests pass, no regressions introduced. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 15:38:20 +02:00
parent 1d91e24a88
commit 32aad186c3
5 changed files with 121 additions and 7 deletions
--- a/Docs/Backend-Development.md
+++ b/Docs/Backend-Development.md
@@ -1085,7 +1085,39 @@ The login endpoint (`POST /api/auth/login`) is protected against brute-force att

 ---

-## 13. File I/O Conventions
+## 12. Password Hashing
+
+The master password is hashed using **bcrypt** with an auto-generated salt. All password validation uses the models in `app.models.auth` and `app.models.setup`.
+
+### The 72-Byte Bcrypt Limitation
+
+**Important:** bcrypt silently truncates all input at **72 bytes** before hashing. This means:
+- A user who sets a 100-character password is actually authenticated by only the first 72 bytes
+- Extra characters beyond 72 bytes provide **zero additional security**
+- An attacker who has reduced their search space to 72 bytes can brute-force the password more efficiently than intended
+
+**Solution:** Both password fields enforce a **maximum length of 72 bytes**:
+- `LoginRequest.password` — max 72 characters (enforced via Pydantic `Field(max_length=72)`)
+- `SetupRequest.master_password` — max 72 characters (enforced via Pydantic `Field(max_length=72)`)
+
+**Validation flow:**
+1. Frontend → hashes password with SHA256 using `SubtleCrypto` before transmission
+2. Backend receives SHA256 hash, validates length (≤ 72 bytes)
+3. Backend → hashes with bcrypt using `run_blocking(bcrypt.hashpw)` to avoid event loop stall
+4. Hash stored in SQLite `settings` table
+
+**If a password exceeds 72 bytes:**
+- Pydantic raises `ValidationError` with error code `string_too_long`
+- The router returns **HTTP 422 Unprocessable Entity**
+- The frontend should inform the user to choose a shorter password
+
+**Implementation:** 
+- Models: `app.models.auth.LoginRequest`, `app.models.setup.SetupRequest`
+- Service layer: `app.services.auth_service._check_password()`, `app.services.setup_service.run_setup()`
+
+---
+
+## 14. File I/O Conventions

 All file write operations to critical configuration files must be **atomic** to prevent corruption if the process is killed mid-write.

@@ -1163,7 +1195,7 @@ atomic_write(path, updated_content)  # Atomic write, auto-cleanup on error

 ---

-## 14. Git & Workflow
+## 15. Git & Workflow

 - **Branch naming:** `feature/<short-description>`, `fix/<short-description>`, `chore/<short-description>`.
 - **Commit messages:** imperative tense, max 72 chars first line (`Add jail reload endpoint`, `Fix ban history query`).
@@ -1173,7 +1205,7 @@ atomic_write(path, updated_content)  # Atomic write, auto-cleanup on error

 ---

-## 15. Coding Principles
+## 16. Coding Principles

 These principles are **non-negotiable**. Every backend contributor must internalise and apply them daily.

@@ -1560,7 +1592,7 @@ When user-supplied URLs are fetched by the backend, validate them before making

 ---

-## 16. Quick Reference — Do / Don't
+## 17. Quick Reference — Do / Don't

 | Do | Don't |
 |---|---|
--- a/Docs/Features.md
+++ b/Docs/Features.md
@@ -14,7 +14,7 @@ A web application to monitor, manage, and configure fail2ban from a clean, acces

 ### Options

- **Master Password** — Set a single global password that protects the entire web interface.
+- **Master Password** — Set a single global password that protects the entire web interface. Must be between 8 and 72 characters long (72-byte limit is due to bcrypt truncation) and include one uppercase letter, one number, and one special character from `!@#$%^&*()`.
 - **Database Path** — Define where the application stores its own SQLite database.
 - **fail2ban Connection** — Specify how the application connects to the running fail2ban instance (socket path or related settings).
 - **General Preferences** — Any additional application-level settings such as default time zone, date format, or session duration.
--- a/backend/app/models/auth.py
+++ b/backend/app/models/auth.py
@@ -11,7 +11,11 @@ class LoginRequest(BaseModel):

    model_config = ConfigDict(strict=True)

-    password: str = Field(..., description="Master password to authenticate with.")
+    password: str = Field(
+        ...,
+        max_length=72,
+        description="Master password to authenticate with (max 72 bytes due to bcrypt truncation).",
+    )


 class LoginResponse(BaseModel):
--- a/backend/app/models/setup.py
+++ b/backend/app/models/setup.py
@@ -14,7 +14,8 @@ class SetupRequest(BaseModel):
    master_password: str = Field(
        ...,
        min_length=8,
-        description="Master password that protects the BanGUI interface.",
+        max_length=72,
+        description="Master password that protects the BanGUI interface (max 72 bytes due to bcrypt truncation).",
    )

    @field_validator("master_password")
@@ -22,6 +23,8 @@ class SetupRequest(BaseModel):
    def validate_master_password(cls, value: str) -> str:
        if len(value) < 8:
            raise ValueError("Password must be at least 8 characters long.")
+        if len(value) > 72:
+            raise ValueError("Password must not exceed 72 bytes (bcrypt limitation).")
        if not any(char.isupper() for char in value):
            raise ValueError("Password must include at least one uppercase letter.")
        if not any(char.isdigit() for char in value):
--- a/backend/tests/test_models.py
+++ b/backend/tests/test_models.py
@@ -289,3 +289,78 @@ def test_global_config_response_log_target_invalid_path(_mock_allowed_dirs: None
        )
    error_msg = str(exc_info.value)
    assert "outside allowed directories" in error_msg
+
+
+# ---------------------------------------------------------------------------
+# LoginRequest and SetupRequest password validation
+# ---------------------------------------------------------------------------
+
+
+def test_login_request_password_accepted_at_72_bytes() -> None:
+    """LoginRequest accepts passwords exactly 72 bytes long."""
+    from app.models.auth import LoginRequest
+
+    password_72 = "a" * 72
+    req = LoginRequest(password=password_72)
+    assert req.password == password_72
+
+
+def test_login_request_password_rejected_over_72_bytes() -> None:
+    """LoginRequest rejects passwords exceeding 72 bytes."""
+    from app.models.auth import LoginRequest
+
+    password_73 = "a" * 73
+    with pytest.raises(ValidationError) as exc_info:
+        LoginRequest(password=password_73)
+    error_msg = str(exc_info.value)
+    assert "at most 72 characters" in error_msg or "max_length" in error_msg
+
+
+def test_setup_request_master_password_accepted_at_72_bytes() -> None:
+    """SetupRequest accepts master_password exactly 72 bytes long."""
+    from app.models.setup import SetupRequest
+
+    password_72 = "Password1!" + "a" * 61  # 72 chars total with required complexity
+    req = SetupRequest(master_password=password_72)
+    assert req.master_password == password_72
+
+
+def test_setup_request_master_password_rejected_over_72_bytes() -> None:
+    """SetupRequest rejects master_password exceeding 72 bytes."""
+    from app.models.setup import SetupRequest
+
+    password_73 = "Password1!" + "a" * 63  # 73 chars total
+    with pytest.raises(ValidationError) as exc_info:
+        SetupRequest(master_password=password_73)
+    error_msg = str(exc_info.value)
+    assert "at most 72 characters" in error_msg or "string_too_long" in error_msg
+
+
+def test_setup_request_master_password_min_length_still_enforced() -> None:
+    """SetupRequest still enforces minimum password length (8 characters)."""
+    from app.models.setup import SetupRequest
+
+    with pytest.raises(ValidationError) as exc_info:
+        SetupRequest(master_password="Short1!")
+    error_msg = str(exc_info.value)
+    assert "8 characters" in error_msg
+
+
+def test_setup_request_master_password_complexity_still_enforced() -> None:
+    """SetupRequest still enforces password complexity requirements."""
+    from app.models.setup import SetupRequest
+
+    # Missing uppercase
+    with pytest.raises(ValidationError) as exc_info:
+        SetupRequest(master_password="password123!")
+    assert "uppercase" in str(exc_info.value)
+
+    # Missing number
+    with pytest.raises(ValidationError) as exc_info:
+        SetupRequest(master_password="Password!")
+    assert "number" in str(exc_info.value)
+
+    # Missing special character
+    with pytest.raises(ValidationError) as exc_info:
+        SetupRequest(master_password="Password1")
+    assert "special character" in str(exc_info.value)