From 60c3147a378bff46362d7f21452fc7954da0736b Mon Sep 17 00:00:00 2001
From: Matthew Blissett <mblissett@gbif.org>
Date: Tue, 12 Mar 2024 15:31:23 +0100
Subject: [PATCH] Avoid DOS route with authentication of extremely long
 passwords.

---
 .../registry/identity/service/IdentityServiceImpl.java     | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/registry-identity/src/main/java/org/gbif/registry/identity/service/IdentityServiceImpl.java b/registry-identity/src/main/java/org/gbif/registry/identity/service/IdentityServiceImpl.java
index 8565fb8fc5..65b9d0e37d 100644
--- a/registry-identity/src/main/java/org/gbif/registry/identity/service/IdentityServiceImpl.java
+++ b/registry-identity/src/main/java/org/gbif/registry/identity/service/IdentityServiceImpl.java
@@ -208,7 +208,12 @@ public PagingResponse<GbifUser> search(
   @Override
   @Nullable
   public GbifUser authenticate(String username, String password) {
-    if (Strings.isNullOrEmpty(username) || password == null) {
+    if (Strings.isNullOrEmpty(username) || Strings.isNullOrEmpty(password)) {
+      return null;
+    }
+
+    // Avoid DOS route with an attacker trying extremely long passwords.
+    if (!PASSWORD_LENGTH_RANGE.contains(password.length())) {
       return null;
     }