api: enforce minimum character limit of 8 on new passwords

we already have two different password schemas, `PBS_PASSWORD_SCHEMA` being the stricter one, which ensures a minimum length of new passwords. however, this wasn't used on the change password endpoint before, so add it there too. this is also in-line with NIST's latest recommendations [1]. [1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
2025-01-20 14:03:53 +03:00 · 2024-10-04 15:40:53 +02:00 · 2024-10-04 15:40:53 +02:00 · fb5b6f3eab
commit fb5b6f3eab
parent 9f3733c5ed
2 changed files with 3 additions and 3 deletions
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@ -214,7 +214,7 @@ pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema =

 pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
    .format(&PASSWORD_FORMAT)
-    .min_length(5)
+    .min_length(8)
    .max_length(64)
    .schema();

--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@ -13,7 +13,7 @@ use proxmox_schema::api;
 use proxmox_sortable_macro::sortable;

 use pbs_api_types::{
-    Authid, User, Userid, ACL_PATH_SCHEMA, PASSWORD_FORMAT, PASSWORD_SCHEMA, PRIVILEGES,
+    Authid, User, Userid, ACL_PATH_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIVILEGES,
    PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
 };
 use pbs_config::acl::AclTreeNode;
@ -75,7 +75,7 @@ async fn user_update_auth<S: AsRef<str>>(
                type: Userid,
            },
            password: {
-                schema: PASSWORD_SCHEMA,
+                schema: PBS_PASSWORD_SCHEMA,
            },
            "confirmation-password": {
                type: String,