Prerequisites
Area
Auth / Security
Problem or Motivation
The setup script references a PASSWORD_MIN_LENGTH constant, but I couldn't find the actual
minimum length value, a maximum length, or the allowed character set documented anywhere
(README, docs/setup.md, or Settings UI).
I use a password manager (Enpass) with lowercase, uppercase, digits, and special characters
enabled, generating passwords around 100 characters long, potentially including the full
standard set of special characters:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
I confirmed this is a real, reproducible issue, not just missing docs: setting a ~100-character
password via Settings > Change Password fails with a frontend error
"JSON.parse: unexpected character at line 1 column 1 of the JSON data", suggesting the backend
returns a non-JSON error response (likely an unhandled exception/HTML error page) instead of a
clean validation error. A 72-character password works fine.
This strongly points to bcrypt's 72-byte input limit (the bcrypt Python package raises a
ValueError for inputs over 72 bytes since v4.0, rather than silently truncating) being hit
without being caught and handled gracefully server-side.
Proposed Solution
Document the following, either in docs/setup.md, the README security notes, or directly in
the Settings UI as a hint next to the password field:
- The exact minimum password length (PASSWORD_MIN_LENGTH)
- The maximum password length — practically capped at 72 bytes by bcrypt
- Whether any characters are disallowed or cause issues
Additionally, and more importantly: catch the bcrypt length error server-side and return a
clean validation error (e.g. "Password must be 72 characters or fewer") instead of letting
it surface as an unhandled exception that breaks JSON parsing on the frontend.
Alternatives Considered
Could also just add inline validation error text showing the requirement, but explicit docs
are more discoverable.
Prior Art / Related Issues
No response
Are you willing to implement this?
No — I am only filing the request
Prerequisites
Area
Auth / Security
Problem or Motivation
The setup script references a PASSWORD_MIN_LENGTH constant, but I couldn't find the actual
minimum length value, a maximum length, or the allowed character set documented anywhere
(README, docs/setup.md, or Settings UI).
I use a password manager (Enpass) with lowercase, uppercase, digits, and special characters
enabled, generating passwords around 100 characters long, potentially including the full
standard set of special characters:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
I confirmed this is a real, reproducible issue, not just missing docs: setting a ~100-character
password via Settings > Change Password fails with a frontend error
"JSON.parse: unexpected character at line 1 column 1 of the JSON data", suggesting the backend
returns a non-JSON error response (likely an unhandled exception/HTML error page) instead of a
clean validation error. A 72-character password works fine.
This strongly points to bcrypt's 72-byte input limit (the
bcryptPython package raises aValueError for inputs over 72 bytes since v4.0, rather than silently truncating) being hit
without being caught and handled gracefully server-side.
Proposed Solution
Document the following, either in docs/setup.md, the README security notes, or directly in
the Settings UI as a hint next to the password field:
Additionally, and more importantly: catch the bcrypt length error server-side and return a
clean validation error (e.g. "Password must be 72 characters or fewer") instead of letting
it surface as an unhandled exception that breaks JSON parsing on the frontend.
Alternatives Considered
Could also just add inline validation error text showing the requirement, but explicit docs
are more discoverable.
Prior Art / Related Issues
No response
Are you willing to implement this?
No — I am only filing the request