Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
01c45d0344946be07c967344c14ec3d95f20e375
CapaKraken/apps/web/src/app/auth/reset-password/[token]/page.tsx
T
Hartmut 01c45d0344 security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56) 
Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 14:56:43 +02:00

121 lines
4.5 KiB
TypeScript
Raw Blame History

"use client";
import { use, useState } from "react";
import { useRouter } from "next/navigation";
import { PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE } from "@capakraken/shared";
import { trpc } from "~/lib/trpc/client.js";
export default function ResetPasswordPage({ params }: { params: Promise<{ token: string }> }) {
const { token } = use(params);
const router = useRouter();
const [password, setPassword] = useState("");
const [confirm, setConfirm] = useState("");
const [formError, setFormError] = useState<string | null>(null);
const [done, setDone] = useState(false);
const mutation = trpc.auth.resetPassword.useMutation({
onSuccess: () => setDone(true),
onError: (err) => setFormError(err.message),
});
function handleSubmit(e: React.FormEvent) {
e.preventDefault();
setFormError(null);
if (password.length < PASSWORD_MIN_LENGTH) {
setFormError(PASSWORD_POLICY_MESSAGE);
return;
}
if (password !== confirm) {
setFormError("Passwords do not match.");
return;
}
mutation.mutate({ token, password });
}
if (done) {
return (
<div className="min-h-screen flex items-center justify-center bg-gray-50 dark:bg-gray-950 p-4">
<div className="w-full max-w-md rounded-2xl bg-white dark:bg-gray-900 shadow-lg p-8 text-center">
<div className="text-4xl mb-4"></div>
<h1 className="text-lg font-semibold text-gray-900 dark:text-gray-100 mb-2">
Password updated
</h1>
<p className="text-sm text-gray-500 mb-6">Your password has been changed successfully.</p>
<button
type="button"
onClick={() => router.push("/auth/signin")}
className="rounded-lg bg-brand-600 px-5 py-2 text-sm font-semibold text-white hover:bg-brand-700 transition-colors"
>
Go to sign in
</button>
</div>
</div>
);
}
return (
<div className="min-h-screen flex items-center justify-center bg-gray-50 dark:bg-gray-950 p-4">
<div className="w-full max-w-md rounded-2xl bg-white dark:bg-gray-900 shadow-lg p-8">
<div className="mb-6">
<h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">Set a new password</h1>
<p className="mt-1 text-sm text-gray-500">Choose a new password for your account.</p>
</div>
<form onSubmit={handleSubmit} className="space-y-4">
{formError && (
<div className="rounded-lg bg-red-50 dark:bg-red-900/20 border border-red-200 dark:border-red-700 px-4 py-3 text-sm text-red-700 dark:text-red-400">
{formError}
</div>
)}
<div>
<label
htmlFor="password"
className="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1"
>
New password
</label>
<input
id="password"
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
required
minLength={PASSWORD_MIN_LENGTH}
placeholder={`At least ${PASSWORD_MIN_LENGTH} characters`}
className="w-full rounded-lg border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-900 px-3 py-2 text-sm text-gray-900 dark:text-gray-100 focus:outline-none focus:ring-2 focus:ring-brand-400"
/>
</div>
<div>
<label
htmlFor="confirm"
className="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1"
>
Confirm new password
</label>
<input
id="confirm"
type="password"
value={confirm}
onChange={(e) => setConfirm(e.target.value)}
required
placeholder="Repeat your password"
className="w-full rounded-lg border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-900 px-3 py-2 text-sm text-gray-900 dark:text-gray-100 focus:outline-none focus:ring-2 focus:ring-brand-400"
/>
</div>
<button
type="submit"
disabled={mutation.isPending}
className="w-full rounded-lg bg-brand-600 px-4 py-2 text-sm font-semibold text-white hover:bg-brand-700 transition-colors disabled:opacity-50"
>
{mutation.isPending ? "Saving…" : "Set new password"}
</button>
</form>
</div>
</div>
);
}
Reference in New Issue View Git Blame Copy Permalink