From 2792d8b3f526e4a55aae35d2a2a7ec9d42025a67 Mon Sep 17 00:00:00 2001
From: fenn-cs <fenn25.fn@gmail.com>
Date: Fri, 15 Mar 2024 11:46:19 +0100
Subject: [PATCH] feat: Limit email input on auth pages to 255 chars

Excessively long emails reported make server unresponsive.

We could at some point, consider adding a configuration for sysadmins to bypass this setting
on their instance if they want.

Signed-off-by: fenn-cs <fenn25.fn@gmail.com>
---
 core/Controller/LoginController.php         | 13 +++++++-
 core/Controller/LostController.php          |  4 +++
 core/src/components/login/LoginForm.vue     |  8 ++++-
 core/src/components/login/ResetPassword.vue |  6 ++++
 core/src/mixins/auth.js                     | 36 +++++++++++++++++++++
 5 files changed, 65 insertions(+), 2 deletions(-)
 create mode 100644 core/src/mixins/auth.js

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index fb60f0feccc..90c49549249 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -336,9 +336,20 @@ class LoginController extends Controller {
 			);
 		}
 
+		$user = trim($user);
+
+		if (strlen($user) > 255) {
+			return $this->createLoginFailedResponse(
+				$user,
+				$user,
+				$redirect_url,
+				$this->l10n->t('Unsupported email length (>255)')
+			);
+		}
+
 		$data = new LoginData(
 			$this->request,
-			trim($user),
+			$user,
 			$password,
 			$redirect_url,
 			$timezone,
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index 8e9a9e0f0de..d94386f9ab5 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -182,6 +182,10 @@ class LostController extends Controller {
 
 		$user = trim($user);
 
+		if (strlen($user) > 255) {
+			return new JSONResponse($this->error($this->l10n->t('Unsupported email length (>255)')));
+		}
+
 		\OCP\Util::emitHook(
 			'\OCA\Files_Sharing\API\Server2Server',
 			'preLoginNameUsedAsUserName',
diff --git a/core/src/components/login/LoginForm.vue b/core/src/components/login/LoginForm.vue
index 9844df6239d..48620605c9d 100644
--- a/core/src/components/login/LoginForm.vue
+++ b/core/src/components/login/LoginForm.vue
@@ -62,12 +62,15 @@
 				ref="user"
 				:label="loginText"
 				name="user"
+				:maxlength="255"
 				:value.sync="user"
 				:class="{shake: invalidPassword}"
 				autocapitalize="none"
 				:spellchecking="false"
 				:autocomplete="autoCompleteAllowed ? 'username' : 'off'"
 				required
+				:error="userNameInputLengthIs255"
+				:helper-text="userInputHelperText"
 				data-login-form-input-user
 				@change="updateUsername" />
 
@@ -117,6 +120,8 @@ import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
 
 import LoginButton from './LoginButton.vue'
 
+import AuthMixin from '../../mixins/auth.js'
+
 export default {
 	name: 'LoginForm',
 
@@ -126,6 +131,7 @@ export default {
 		NcTextField,
 		NcNoteCard,
 	},
+	mixins: [AuthMixin],
 
 	props: {
 		username: {
@@ -160,7 +166,7 @@ export default {
 			type: Array,
 			default() {
 				return []
-			}
+			},
 		},
 	},
 
diff --git a/core/src/components/login/ResetPassword.vue b/core/src/components/login/ResetPassword.vue
index 0490bd84cf5..a1ecc27bb8e 100644
--- a/core/src/components/login/ResetPassword.vue
+++ b/core/src/components/login/ResetPassword.vue
@@ -25,8 +25,11 @@
 			<NcTextField id="user"
 				:value.sync="user"
 				name="user"
+				:maxlength="255"
 				autocapitalize="off"
 				:label="t('core', 'Login or email')"
+				:error="userNameInputLengthIs255"
+				:helper-text="userInputHelperText"
 				required
 				@change="updateUsername" />
 			<LoginButton :value="t('core', 'Reset password')" />
@@ -60,6 +63,8 @@ import LoginButton from './LoginButton.vue'
 import NcTextField from '@nextcloud/vue/dist/Components/NcTextField.js'
 import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
 
+import AuthMixin from '../../mixins/auth.js'
+
 export default {
 	name: 'ResetPassword',
 	components: {
@@ -67,6 +72,7 @@ export default {
 		NcNoteCard,
 		NcTextField,
 	},
+	mixins: [AuthMixin],
 	props: {
 		username: {
 			type: String,
diff --git a/core/src/mixins/auth.js b/core/src/mixins/auth.js
new file mode 100644
index 00000000000..c864371f295
--- /dev/null
+++ b/core/src/mixins/auth.js
@@ -0,0 +1,36 @@
+/**
+ * @copyright Copyright (c) 2024 Fon E. Noel NFEBE <opensource@nfebe.com>
+ *
+ * @author Fon E. Noel NFEBE <opensource@nfebe.com>
+ *
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+export default {
+
+	computed: {
+		userNameInputLengthIs255() {
+			return this.user.length >= 255
+		},
+		userInputHelperText() {
+			if (this.userNameInputLengthIs255) {
+				return t('core', 'Email length is at max (255)')
+			}
+			return undefined
+		},
+	},
+}