Improve password length validation in ActiveModel::SecurePassword for BCrypt compatibility

- Validate password length in both characters and bytes
- Provide user-friendly error message for character length
- Add byte size validation due to BCrypt's 72-byte limit

Co-authored-by: ChatGPT

[Fix rails#47600]

Author: guilleiguaran

activemodel/CHANGELOG.md

@@ -1,3 +1,22 @@
+*   Improve password length validation in ActiveModel::SecurePassword to consider byte size for BCrypt compatibility.
+
+    The previous password length validation only considered the character count, which may not
+    accurately reflect the 72-byte size limit imposed by BCrypt. This change updates the validation
+    to consider both character count and byte size while keeping the character length validation in place.
+
+    ```ruby
+      user = User.new(password: "𝕒" * 73)  # 73 characters
+      user.valid? # => false
+      user.errors[:password] # => ["is too long (maximum is 72 characters)"]
+
+
+      user = User.new(password: "𝕒" * 25)  # 25 characters, 75 bytes
+      user.valid? # => false
+      user.errors[:password] # => ["is too long (maximum is 72 bytes)"]
+    ```
+
+    *ChatGPT*, *Guillermo Iguaran*
+
 *   `has_secure_password` now generates an `#{attribute}_salt` method that returns the salt
     used to compute the password digest. The salt will change whenever the password is changed,
     so it can be used to create single-use password reset tokens with `generates_token_for`:

activemodel/lib/active_model/locale/en.yml

@@ -18,6 +18,7 @@ en:
       too_long:
         one: "is too long (maximum is 1 character)"
         other: "is too long (maximum is %{count} characters)"
+      too_long_in_bytes: "is too long (maximum is %{count} bytes)"
       too_short:
         one: "is too short (minimum is 1 character)"
         other: "is too short (minimum is %{count} characters)"

activemodel/lib/active_model/secure_password.rb

@@ -132,7 +132,21 @@ def has_secure_password(attribute = :password, validations: true)
             end
           end
 
-          validates_length_of attribute, maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
+          # Validates that the password does not exceed the maximum allowed characters (72 characters) and
+          # the maximum allowed bytes (72 bytes) for BCrypt. The character length validation is checked first
+          # to provide a more user-friendly error message. However, the byte size validation is still necessary
+          # due to BCrypt's inherent limitation of 72 bytes.
+          validate do |record|
+            password_value = record.public_send(attribute)
+            if password_value.present?
+              if password_value.length > ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
+                record.errors.add(attribute, :too_long, count: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED)
+              elsif password_value.bytesize > ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
+                record.errors.add(attribute, :too_long_in_bytes, count: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED)
+              end
+            end
+          end
+
           validates_confirmation_of attribute, allow_blank: true
         end
       end

activemodel/test/cases/secure_password_test.rb

@@ -62,14 +62,24 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal ["can’t be blank"], @user.errors[:password]
   end
 
-  test "create a new user with validation and password length greater than 72" do
+  test "create a new user with validation and password length greater than 72 characters" do
     @user.password = "a" * 73
     @user.password_confirmation = "a" * 73
     assert_not @user.valid?(:create), "user should be invalid"
     assert_equal 1, @user.errors.count
     assert_equal ["is too long (maximum is 72 characters)"], @user.errors[:password]
   end
 
+  test "create a new user with validation and password byte size greater than 72 bytes" do
+    # Create a password with 73 bytes by using a 3-byte Unicode character (e.g., "あ") 24 times, followed by a 1-byte character "a".
+    # This will result in a password length of 25 characters, but with a byte size of 73.
+    @user.password = "あ" * 24 + "a"
+    @user.password_confirmation = "あ" * 24 + "a"
+    assert_not @user.valid?(:create), "user should be invalid"
+    assert_equal 1, @user.errors.count
+    assert_equal ["is too long (maximum is 72 bytes)"], @user.errors[:password]
+  end
+
   test "create a new user with validation and a blank password confirmation" do
     @user.password = "password"
     @user.password_confirmation = ""