From 7b18a36288f54c406f4778d6a565aa08cf53d2ea Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Fri, 10 May 2024 17:29:49 -0700
Subject: [PATCH] prevent accidental lockout from restricted chars in single
pass mode (#1352)
* prevent accidental lockout from restrict chars in single pass mode
* update error message
---
.../pages/GeneralSettings/Security/index.jsx | 18 ++++++++++++++----
server/utils/helpers/updateENV.js | 9 ++++++++-
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/frontend/src/pages/GeneralSettings/Security/index.jsx b/frontend/src/pages/GeneralSettings/Security/index.jsx
index 7d60aadad..94655fea6 100644
--- a/frontend/src/pages/GeneralSettings/Security/index.jsx
+++ b/frontend/src/pages/GeneralSettings/Security/index.jsx
@@ -190,6 +190,7 @@ function MultiUserMode() {
);
}
+const PW_REGEX = new RegExp(/^[a-zA-Z0-9_\-!@$%^&*();]+$/);
function PasswordProtection() {
const [saving, setSaving] = useState(false);
const [hasChanges, setHasChanges] = useState(false);
@@ -200,10 +201,19 @@ function PasswordProtection() {
const handleSubmit = async (e) => {
e.preventDefault();
if (multiUserModeEnabled) return false;
+ const form = new FormData(e.target);
+
+ if (!PW_REGEX.test(form.get("password"))) {
+ showToast(
+ `Your password has restricted characters in it. Allowed symbols are _,-,!,@,$,%,^,&,*,(,),;`,
+ "error"
+ );
+ setSaving(false);
+ return;
+ }
setSaving(true);
setHasChanges(false);
- const form = new FormData(e.target);
const data = {
usePassword,
newPassword: form.get("password"),
@@ -323,9 +333,9 @@ function PasswordProtection() {
</div>
<div className="flex items-center justify-between space-x-14">
<p className="text-white/80 text-xs rounded-lg w-96">
- By default, you will be the only admin. As an admin you will
- need to create accounts for all new users or admins. Do not lose
- your password as only an Admin user can reset passwords.
+ By default, anyone with this password can log into the instance.
+ Do not lose this password as only the instance maintainer is
+ able to retrieve or reset the password once set.
</p>
</div>
</div>
diff --git a/server/utils/helpers/updateENV.js b/server/utils/helpers/updateENV.js
index 39223c334..e2f5c7526 100644
--- a/server/utils/helpers/updateENV.js
+++ b/server/utils/helpers/updateENV.js
@@ -338,7 +338,7 @@ const KEY_MAPPING = {
// System Settings
AuthToken: {
envKey: "AUTH_TOKEN",
- checks: [requiresForceMode],
+ checks: [requiresForceMode, noRestrictedChars],
},
JWTSecret: {
envKey: "JWT_SECRET",
@@ -574,6 +574,13 @@ function validHuggingFaceEndpoint(input = "") {
: null;
}
+function noRestrictedChars(input = "") {
+ const regExp = new RegExp(/^[a-zA-Z0-9_\-!@$%^&*();]+$/);
+ return !regExp.test(input)
+ ? `Your password has restricted characters in it. Allowed symbols are _,-,!,@,$,%,^,&,*,(,),;`
+ : null;
+}
+
// This will force update .env variables which for any which reason were not able to be parsed or
// read from an ENV file as this seems to be a complicating step for many so allowing people to write
// to the process will at least alleviate that issue. It does not perform comprehensive validity checks or sanity checks
--
GitLab