From c7cc91cb65687e0325d817472a9da9b0c3894b41 Mon Sep 17 00:00:00 2001
From: Logan Leger <logan@loganleger.com>
Date: Tue, 18 Nov 2014 23:10:01 -0600
Subject: [PATCH] Update password length validation to 72 characters max

BCrypt has a limit of 72 characters for the password. Anything beyond 72
characters is truncated. This commit updates the validation to limit
passwords to less than 72 characters, keeping within the limitation.
---
 lib/devise/models/validatable.rb             |  2 +-
 lib/generators/templates/devise.rb           |  2 +-
 test/models/validatable_test.rb              | 10 +++++-----
 test/rails_app/config/initializers/devise.rb |  4 ++--
 test/rails_app/lib/shared_user.rb            |  2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/devise/models/validatable.rb b/lib/devise/models/validatable.rb
index 2bfdf458..bd21fbf6 100644
--- a/lib/devise/models/validatable.rb
+++ b/lib/devise/models/validatable.rb
@@ -10,7 +10,7 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 8..128.
+    #   * +password_length+: a range expressing password length. Defaults to 8..72.
     #
     module Validatable
       # All validations used by this module.
diff --git a/lib/generators/templates/devise.rb b/lib/generators/templates/devise.rb
index d8cd54f0..18d3a555 100644
--- a/lib/generators/templates/devise.rb
+++ b/lib/generators/templates/devise.rb
@@ -144,7 +144,7 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length.
-  config.password_length = 8..128
+  config.password_length = 8..72
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
diff --git a/test/models/validatable_test.rb b/test/models/validatable_test.rb
index c8dc6877..3cd03d86 100644
--- a/test/models/validatable_test.rb
+++ b/test/models/validatable_test.rb
@@ -92,10 +92,10 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'is too short (minimum is 7 characters)', user.errors[:password].join
   end
 
-  test 'should require a password with maximum of 128 characters long' do
-    user = new_user(password: 'x'*129, password_confirmation: 'x'*129)
+  test 'should require a password with maximum of 72 characters long' do
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
   end
 
   test 'should not require password length when it\'s not changed' do
@@ -109,10 +109,10 @@ class ValidatableTest < ActiveSupport::TestCase
   end
 
   test 'should complain about length even if password is not required' do
-    user = new_user(password: 'x'*129, password_confirmation: 'x'*129)
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
     user.stubs(:password_required?).returns(false)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
   end
 
   test 'should not be included in objects with invalid API' do
diff --git a/test/rails_app/config/initializers/devise.rb b/test/rails_app/config/initializers/devise.rb
index 1f994802..9be1e9a1 100644
--- a/test/rails_app/config/initializers/devise.rb
+++ b/test/rails_app/config/initializers/devise.rb
@@ -90,8 +90,8 @@ Devise.setup do |config|
   # config.extend_remember_period = false
 
   # ==> Configuration for :validatable
-  # Range for password length. Default is 8..128.
-  # config.password_length = 8..128
+  # Range for password length. Default is 8..72.
+  # config.password_length = 8..72
 
   # Regex to use to validate the email address
   # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
diff --git a/test/rails_app/lib/shared_user.rb b/test/rails_app/lib/shared_user.rb
index adb0e333..9d7cac21 100644
--- a/test/rails_app/lib/shared_user.rb
+++ b/test/rails_app/lib/shared_user.rb
@@ -4,7 +4,7 @@ module SharedUser
   included do
     devise :database_authenticatable, :confirmable, :lockable, :recoverable,
            :registerable, :rememberable, :timeoutable,
-           :trackable, :validatable, :omniauthable, password_length: 7..128
+           :trackable, :validatable, :omniauthable, password_length: 7..72
 
     attr_accessor :other_key