fix: signup vulnerability (#4859)

apps/web/modules/auth/forgot-password/actions.ts

@@ -4,9 +4,10 @@ import { actionClient } from "@/lib/utils/action-client";
 import { getUserByEmail } from "@/modules/auth/lib/user";
 import { sendForgotPasswordEmail } from "@/modules/email";
 import { z } from "zod";
+import { ZUserEmail } from "@formbricks/types/user";
 
 const ZForgotPasswordAction = z.object({
-  email: z.string().max(255).email({ message: "Invalid email" }),
+  email: ZUserEmail,
 });
 
 export const forgotPasswordAction = actionClient

apps/web/modules/auth/signup/actions.ts

@@ -15,12 +15,12 @@ import { createMembership } from "@formbricks/lib/membership/service";
 import { createOrganization, getOrganization } from "@formbricks/lib/organization/service";
 import { UnknownError } from "@formbricks/types/errors";
 import { TOrganizationRole, ZOrganizationRole } from "@formbricks/types/memberships";
-import { ZUserLocale, ZUserName } from "@formbricks/types/user";
+import { ZUserEmail, ZUserLocale, ZUserName, ZUserPassword } from "@formbricks/types/user";
 
 const ZCreateUserAction = z.object({
   name: ZUserName,
-  email: z.string().max(255).email({ message: "Invalid email" }),
-  password: z.string().min(8),
+  email: ZUserEmail,
+  password: ZUserPassword,
   inviteToken: z.string().optional(),
   userLocale: ZUserLocale.optional(),
   defaultOrganizationId: z.string().optional(),

apps/web/modules/auth/signup/components/signup-form.tsx

@@ -21,17 +21,14 @@ import Turnstile, { useTurnstile } from "react-turnstile";
 import { z } from "zod";
 import { env } from "@formbricks/lib/env";
 import { TOrganizationRole } from "@formbricks/types/memberships";
-import { TUserLocale, ZUserName } from "@formbricks/types/user";
+import { TUserLocale, ZUserName, ZUserPassword } from "@formbricks/types/user";
 import { createEmailTokenAction } from "../../../auth/actions";
 import { PasswordChecks } from "./password-checks";
 
 const ZSignupInput = z.object({
   name: ZUserName,
   email: z.string().email(),
-  password: z
-    .string()
-    .min(8)
-    .regex(/^(?=.*[A-Z])(?=.*\d).*$/),
+  password: ZUserPassword,
 });
 
 const turnstileSiteKey = env.NEXT_PUBLIC_TURNSTILE_SITE_KEY;

apps/web/modules/auth/verification-requested/actions.ts

@@ -5,9 +5,10 @@ import { getUserByEmail } from "@/modules/auth/lib/user";
 import { sendVerificationEmail } from "@/modules/email";
 import { z } from "zod";
 import { InvalidInputError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { ZUserEmail } from "@formbricks/types/user";
 
 const ZResendVerificationEmailAction = z.object({
-  email: z.string().max(255).email({ message: "Invalid email" }),
+  email: ZUserEmail,
 });
 
 export const resendVerificationEmailAction = actionClient

packages/types/user.ts

@@ -28,13 +28,14 @@ export const ZUserName = z
   .min(1, { message: "Name should be at least 1 character long" })
   .regex(/^[\p{L}\p{M}\s'\d-]+$/u, "Invalid name format");
 
-export const ZUserEmail = z.string().email({ message: "Invalid email" });
+export const ZUserEmail = z.string().max(255).email({ message: "Invalid email" });
 
 export type TUserEmail = z.infer<typeof ZUserEmail>;
 
 export const ZUserPassword = z
   .string()
   .min(8)
+  .max(128, { message: "Password must be 128 characters or less" })
   .regex(/^(?=.*[A-Z])(?=.*\d).*$/);
 
 export type TUserPassword = z.infer<typeof ZUserPassword>;