feat: Limit email input on auth pages to 255 chars

Excessively long emails reported make server unresponsive.

We could at some point, consider adding a configuration for sysadmins to bypass this setting
on their instance if they want.

Signed-off-by: fenn-cs <fenn25.fn@gmail.com>

5 files changed, 63 insertions, 2 deletions

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index a7f1ae41d25..6a29bd17282 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -330,9 +330,20 @@ class LoginController extends Controller {
 			);
 		}
 
+		$user = trim($user);
+
+		if (strlen($user) > 255) {
+			return $this->createLoginFailedResponse(
+				$user,
+				$user,
+				$redirect_url,
+				$this->l10n->t('Unsupported email length (>255)')
+			);
+		}
+
 		$data = new LoginData(
 			$this->request,
-			trim($user),
+			$user,
 			$password,
 			$redirect_url,
 			$timezone,
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index d6b13a4cb96..c18f76f3abb 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -179,6 +179,10 @@ class LostController extends Controller {
 
 		$user = trim($user);
 
+		if (strlen($user) > 255) {
+			return new JSONResponse($this->error($this->l10n->t('Unsupported email length (>255)')));
+		}
+
 		\OCP\Util::emitHook(
 			'\OCA\Files_Sharing\API\Server2Server',
 			'preLoginNameUsedAsUserName',
diff --git a/core/src/components/login/LoginForm.vue b/core/src/components/login/LoginForm.vue
index 417c0d67819..c4750d28da4 100644
--- a/core/src/components/login/LoginForm.vue
+++ b/core/src/components/login/LoginForm.vue
@@ -62,12 +62,15 @@
 				ref="user"
 				:label="loginText"
 				name="user"
+				:maxlength="255"
 				:value.sync="user"
 				:class="{shake: invalidPassword}"
 				autocapitalize="none"
 				:spellchecking="false"
 				:autocomplete="autoCompleteAllowed ? 'username' : 'off'"
 				required
+				:error="userNameInputLengthIs255"
+				:helper-text="userInputHelperText"
 				data-login-form-input-user
 				@change="updateUsername" />
 
@@ -117,6 +120,8 @@ import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
 
 import LoginButton from './LoginButton.vue'
 
+import AuthMixin from '../../mixins/auth.js'
+
 export default {
 	name: 'LoginForm',
 
@@ -126,6 +131,7 @@ export default {
 		NcTextField,
 		NcNoteCard,
 	},
+	mixins: [AuthMixin],
 
 	props: {
 		username: {
@@ -160,7 +166,7 @@ export default {
 			type: Array,
 			default() {
 				return []
-			}
+			},
 		},
 	},
 
diff --git a/core/src/components/login/ResetPassword.vue b/core/src/components/login/ResetPassword.vue
index e1d66daa4aa..7059484f1d1 100644
--- a/core/src/components/login/ResetPassword.vue
+++ b/core/src/components/login/ResetPassword.vue
@@ -25,6 +25,7 @@
 			<NcTextField id="user"
 				:value.sync="user"
 				name="user"
+				:maxlength="255"
 				autocapitalize="off"
 				:label="t('core', 'Account name or email')"
 				required
@@ -60,6 +61,8 @@ import LoginButton from './LoginButton.vue'
 import NcTextField from '@nextcloud/vue/dist/Components/NcTextField.js'
 import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
 
+import AuthMixin from '../../mixins/auth.js'
+
 export default {
 	name: 'ResetPassword',
 	components: {
@@ -67,6 +70,7 @@ export default {
 		NcNoteCard,
 		NcTextField,
 	},
+	mixins: [AuthMixin],
 	props: {
 		username: {
 			type: String,
diff --git a/core/src/mixins/auth.js b/core/src/mixins/auth.js
new file mode 100644
index 00000000000..c864371f295
--- /dev/null
+++ b/core/src/mixins/auth.js
@@ -0,0 +1,36 @@
+/**
+ * @copyright Copyright (c) 2024 Fon E. Noel NFEBE <opensource@nfebe.com>
+ *
+ * @author Fon E. Noel NFEBE <opensource@nfebe.com>
+ *
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+export default {
+
+	computed: {
+		userNameInputLengthIs255() {
+			return this.user.length >= 255
+		},
+		userInputHelperText() {
+			if (this.userNameInputLengthIs255) {
+				return t('core', 'Email length is at max (255)')
+			}
+			return undefined
+		},
+	},
+}