password: Add password_max_length to register response.

This allows clients to render UI that disallows invalid passwords
before sending them to the server.

api_docs/changelog.md

@@ -20,6 +20,11 @@ format used by the Zulip server that they are interacting with.
 
 ## Changes in Zulip 10.0
 
+**Feature level 338**
+
+* [`POST /register`](/api/register-queue): Added `password_max_length`
+  field, which is the maximum allowed password length.
+
 **Feature level 337**
 
 * `POST /calls/bigbluebutton/create`: Added a `voice_only` parameter

version.py

@@ -34,7 +34,7 @@ DESKTOP_WARNING_VERSION = "5.9.3"
 # new level means in api_docs/changelog.md, as well as "**Changes**"
 # entries in the endpoint's documentation in `zulip.yaml`.
 
-API_FEATURE_LEVEL = 337  # Last bumped for voice_only param addition for BigBlueButton
+API_FEATURE_LEVEL = 338  # Last bumped for adding password_max_length.
 
 # Bump the minor PROVISION_VERSION to indicate that folks should provision
 # only when going from an old version of the code to a newer version. Bump

web/src/settings_account.ts

@@ -485,6 +485,7 @@ export function set_up(): void {
             html_heading: $t_html({defaultMessage: "Change password"}),
             html_body: render_dialog_change_password({
                 password_min_length: realm.password_min_length,
+                password_max_length: realm.password_max_length,
                 password_min_guesses: realm.password_min_guesses,
             }),
             html_submit_button: $t_html({defaultMessage: "Change"}),

web/src/state_data.ts

@@ -275,6 +275,7 @@ export const realm_schema = z.object({
     max_topic_length: z.number(),
     password_min_guesses: z.number(),
     password_min_length: z.number(),
+    password_max_length: z.number(),
     realm_allow_edit_history: z.boolean(),
     realm_allow_message_editing: z.boolean(),
     realm_authentication_methods: z.record(

zerver/context_processors.py

@@ -195,6 +195,7 @@ def zulip_default_context(request: HttpRequest) -> dict[str, Any]:
         "support_email_html_tag": support_email_html_tag,
         "find_team_link_disabled": find_team_link_disabled,
         "password_min_length": settings.PASSWORD_MIN_LENGTH,
+        "password_max_length": settings.PASSWORD_MAX_LENGTH,
         "password_min_guesses": settings.PASSWORD_MIN_GUESSES,
         "zulip_version": ZULIP_VERSION,
         "user_is_authenticated": request.user.is_authenticated,

zerver/lib/events.py

@@ -383,6 +383,7 @@ def fetch_initial_state_data(
             state["realm_push_notifications_enabled_end_timestamp"] = None
 
         state["password_min_length"] = settings.PASSWORD_MIN_LENGTH
+        state["password_max_length"] = settings.PASSWORD_MAX_LENGTH
         state["password_min_guesses"] = settings.PASSWORD_MIN_GUESSES
         state["server_inline_image_preview"] = settings.INLINE_IMAGE_PREVIEW
         state["server_inline_url_embed_preview"] = settings.INLINE_URL_EMBED_PREVIEW

zerver/openapi/zulip.yaml

@@ -17600,6 +17600,16 @@ paths:
                           This Zulip server's configured minimum required length for passwords.
                           Necessary for password change UI to show whether the password
                           will be accepted.
+                      password_max_length:
+                        type: integer
+                        description: |
+                          Present if `realm` is present in `fetch_event_types`.
+
+                          This Zulip server's configured maximum length for passwords.
+                          Necessary for password change UI to show whether the password
+                          will be accepted.
+
+                          **Changes**: New in Zulip 10.0 (feature level 338).
                       password_min_guesses:
                         type: integer
                         description: |

zerver/tests/test_home.py

@@ -117,6 +117,7 @@ class HomeTest(ZulipTestCase):
         "onboarding_steps",
         "password_min_guesses",
         "password_min_length",
+        "password_max_length",
         "presences",
         "presence_last_update_id",
         "queue_id",

zproject/default_settings.py

@@ -220,6 +220,7 @@ INLINE_URL_EMBED_PREVIEW = True
 NAME_CHANGES_DISABLED = False
 AVATAR_CHANGES_DISABLED = False
 PASSWORD_MIN_LENGTH = 6
+PASSWORD_MAX_LENGTH = 100
 PASSWORD_MIN_GUESSES = 10000
 
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False

zproject/dev_settings.py

@@ -115,6 +115,7 @@ elif os.path.isfile(_candidate_apns_cert_file):
 
 # Don't require anything about password strength in development
 PASSWORD_MIN_LENGTH = 0
+PASSWORD_MAX_LENGTH = 100
 PASSWORD_MIN_GUESSES = 0
 
 # Two factor authentication: Use the fake backend for development.

zproject/prod_settings_template.py

@@ -771,6 +771,7 @@ SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {
 ## Password strength requirements; learn about configuration at
 ## https://zulip.readthedocs.io/en/latest/production/security-model.html.
 # PASSWORD_MIN_LENGTH = 6
+# PASSWORD_MAX_LENGTH = 100
 # PASSWORD_MIN_GUESSES = 10000
 
 ## Controls whether Zulip sends "new login" email notifications.