prevent accidental lockout from restricted chars in single pass mode (#1352)

* prevent accidental lockout from restrict chars in single pass mode * update error message
2024-11-11 01:10:11 +01:00 · 2024-05-10 17:29:49 -07:00 · 2024-05-10 17:29:49 -07:00 · 7b18a36288
commit 7b18a36288
parent 98953d70b7
2 changed files with 22 additions and 5 deletions
--- a/frontend/src/pages/GeneralSettings/Security/index.jsx
+++ b/frontend/src/pages/GeneralSettings/Security/index.jsx
@ -190,6 +190,7 @@ function MultiUserMode() {
  );
 }

+const PW_REGEX = new RegExp(/^[a-zA-Z0-9_\-!@$%^&*();]+$/);
 function PasswordProtection() {
  const [saving, setSaving] = useState(false);
  const [hasChanges, setHasChanges] = useState(false);
@ -200,10 +201,19 @@ function PasswordProtection() {
  const handleSubmit = async (e) => {
    e.preventDefault();
    if (multiUserModeEnabled) return false;
+    const form = new FormData(e.target);
+
+    if (!PW_REGEX.test(form.get("password"))) {
+      showToast(
+        `Your password has restricted characters in it. Allowed symbols are _,-,!,@,$,%,^,&,*,(,),;`,
+        "error"
+      );
+      setSaving(false);
+      return;
+    }

    setSaving(true);
    setHasChanges(false);
-    const form = new FormData(e.target);
    const data = {
      usePassword,
      newPassword: form.get("password"),
@ -323,9 +333,9 @@ function PasswordProtection() {
            </div>
            <div className="flex items-center justify-between space-x-14">
              <p className="text-white/80 text-xs rounded-lg w-96">
-                By default, you will be the only admin. As an admin you will
-                need to create accounts for all new users or admins. Do not lose
-                your password as only an Admin user can reset passwords.
+                By default, anyone with this password can log into the instance.
+                Do not lose this password as only the instance maintainer is
+                able to retrieve or reset the password once set.
              </p>
            </div>
          </div>
--- a/server/utils/helpers/updateENV.js
+++ b/server/utils/helpers/updateENV.js
@ -338,7 +338,7 @@ const KEY_MAPPING = {
  // System Settings
  AuthToken: {
    envKey: "AUTH_TOKEN",
-    checks: [requiresForceMode],
+    checks: [requiresForceMode, noRestrictedChars],
  },
  JWTSecret: {
    envKey: "JWT_SECRET",
@ -574,6 +574,13 @@ function validHuggingFaceEndpoint(input = "") {
    : null;
 }

+function noRestrictedChars(input = "") {
+  const regExp = new RegExp(/^[a-zA-Z0-9_\-!@$%^&*();]+$/);
+  return !regExp.test(input)
+    ? `Your password has restricted characters in it. Allowed symbols are _,-,!,@,$,%,^,&,*,(,),;`
+    : null;
+}
+
 // This will force update .env variables which for any which reason were not able to be parsed or
 // read from an ENV file as this seems to be a complicating step for many so allowing people to write
 // to the process will at least alleviate that issue. It does not perform comprehensive validity checks or sanity checks