Bug description
The password validation logic in SigNoz contains several technical flaws and UI inconsistencies that impact the onboarding experience:
- Incorrect Length Calculation (Backend): Uses
len(password) instead of rune count. This allows multi-byte characters (emojis/non-Latin scripts) to satisfy the 12-character requirement with as few as 3-4 actual characters.
- Over-restrictive Whitelist (Backend): Rejects valid symbols like
;, ', and (space) because they aren't in a hardcoded list.
- Internal Generator Conflict (Backend): The random generator can produce semicolons, which the validator then rejects, potentially causing panics in
MustGenerateFactorPassword.
- Stale Error Messages (Frontend): Backend validation errors (e.g., "invalid password") are not cleared when the user modifies the password field.
- Broken Error Formatting: Error messages display Go-style slice formatting instead of a human-readable list.
Expected behavior
- Password length should be calculated based on character count (
utf8.RuneCountInString), not bytes.
- The character whitelist should allow all printable characters (including
; and spaces).
- The frontend should clear stale backend errors when the user types.
- Error messages should be properly formatted for end-users.
How to reproduce
- Reproduce Length Bug: Enter
🚀🚀🚀Aa1 as a password. Observe that it is accepted despite being only 6 characters long.
- Reproduce Symbol Bug: Enter a 12+ character password containing a semicolon (e.g.,
Admin1234567;). Observe the "invalid password" rejection.
- Reproduce UI Bug:
- Submit a short password (
admin) to trigger a backend error alert.
- Correct the password to be 12+ characters long.
- Observe that the red error alert remains visible even after the "Access My Workspace" button becomes enabled.
Version information
- Signoz version: v0.120.0
- Browser version: Brave
- Your OS and version: macOS
- Your CPU Architecture(ARM/Intel): ARM
Additional context
The core logic is located in pkg/types/factor_password.go. The issue with the root user startup loop is also related, where the query-service can get stuck in a retry loop if a simple root password is provided in the configuration.
Bug description
The password validation logic in SigNoz contains several technical flaws and UI inconsistencies that impact the onboarding experience:
len(password)instead of rune count. This allows multi-byte characters (emojis/non-Latin scripts) to satisfy the 12-character requirement with as few as 3-4 actual characters.;,', andMustGenerateFactorPassword.Expected behavior
utf8.RuneCountInString), not bytes.;and spaces).How to reproduce
🚀🚀🚀Aa1as a password. Observe that it is accepted despite being only 6 characters long.Admin1234567;). Observe the "invalid password" rejection.admin) to trigger a backend error alert.Version information
Additional context
The core logic is located in
pkg/types/factor_password.go. The issue with the root user startup loop is also related, where thequery-servicecan get stuck in a retry loop if a simple root password is provided in the configuration.