[PR #5037] [MERGED] fix: add password character validation to onboarding single-user setup #4869

Closed
opened 2026-02-22 18:36:42 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/5037
Author: @angelplusultra
Created: 2/20/2026
Status: Merged
Merged: 2/23/2026
Merged by: @timothycarambat

Base: masterHead: 5036-bug-single-user-password-with-character-silently-corrupted-during-onboarding


📝 Commits (2)

📊 Changes

2 files changed (+11 additions, -1 deletions)

View changed files

📝 frontend/src/pages/GeneralSettings/Security/index.jsx (+1 -1)
📝 frontend/src/pages/OnboardingFlow/Steps/UserSetup/index.jsx (+10 -0)

📄 Description

Pull Request Type

  • feat (New feature)
  • 🐛 fix (Bug fix)
  • ♻️ refactor (Code refactoring without changing behavior)
  • 💄 style (UI style changes)
  • 🔨 chore (Build, CI, maintenance)
  • 📝 docs (Documentation updates)

Relevant Issues

resolves #5036

Description

The onboarding single-user password form was missing the same character validation that exists on the Security settings page. Passwords containing # (and other restricted characters) were accepted during onboarding but silently truncated when written to the .env file by sanitizeValue(), since # denotes comments in .env files. After a server restart, the truncated AUTH_TOKEN is loaded and the user's original password no longer matches — leaving the instance fully exposed with no working authentication.

This adds the same PW_REGEX check (/^[a-zA-Z0-9_\-!@$%^&*();]+$/) already used in the Security settings page and the backend noRestrictedChars() validation to the onboarding password form, rejecting invalid characters with a toast error before submission.

Additional Information

Steps to reproduce the original bug:

  1. Go to onboarding
  2. When it asks who the instance is for, choose "Just myself"
  3. Choose to set up a password
  4. Enter a password with a # character such as Password123!@#
  5. Navigate to home
  6. Go to Settings > Security
  7. Notice password mode is disabled
  8. Navigate home
  9. Click avatar and logout — notice how it doesn't redirect you to login. The instance is fully exposed even though it looked like it was protected.

Developer Validations

  • I ran yarn lint from the root of the repo & committed changes
  • Relevant documentation has been updated (if applicable)
  • I have tested my code functionality
  • Docker build succeeds locally

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/5037 **Author:** [@angelplusultra](https://github.com/angelplusultra) **Created:** 2/20/2026 **Status:** ✅ Merged **Merged:** 2/23/2026 **Merged by:** [@timothycarambat](https://github.com/timothycarambat) **Base:** `master` ← **Head:** `5036-bug-single-user-password-with-character-silently-corrupted-during-onboarding` --- ### 📝 Commits (2) - [`770b870`](https://github.com/Mintplex-Labs/anything-llm/commit/770b870d7bbfd5fb3b1319f149ba9a72f4f1ca65) fix single user mode password bug - [`0ae0945`](https://github.com/Mintplex-Labs/anything-llm/commit/0ae09451054f9990208ec93861a3c306b234a689) share const ### 📊 Changes **2 files changed** (+11 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `frontend/src/pages/GeneralSettings/Security/index.jsx` (+1 -1) 📝 `frontend/src/pages/OnboardingFlow/Steps/UserSetup/index.jsx` (+10 -0) </details> ### 📄 Description ### Pull Request Type - [ ] ✨ feat (New feature) - [x] 🐛 fix (Bug fix) - [ ] ♻️ refactor (Code refactoring without changing behavior) - [ ] 💄 style (UI style changes) - [ ] 🔨 chore (Build, CI, maintenance) - [ ] 📝 docs (Documentation updates) ### Relevant Issues resolves #5036 ### Description The onboarding single-user password form was missing the same character validation that exists on the Security settings page. Passwords containing `#` (and other restricted characters) were accepted during onboarding but silently truncated when written to the `.env` file by `sanitizeValue()`, since `#` denotes comments in `.env` files. After a server restart, the truncated `AUTH_TOKEN` is loaded and the user's original password no longer matches — leaving the instance fully exposed with no working authentication. This adds the same `PW_REGEX` check (`/^[a-zA-Z0-9_\-!@$%^&*();]+$/`) already used in the Security settings page and the backend `noRestrictedChars()` validation to the onboarding password form, rejecting invalid characters with a toast error before submission. ### Additional Information Steps to reproduce the original bug: 1. Go to onboarding 2. When it asks who the instance is for, choose "Just myself" 3. Choose to set up a password 4. Enter a password with a `#` character such as `Password123!@#` 5. Navigate to home 6. Go to Settings > Security 7. Notice password mode is disabled 8. Navigate home 9. Click avatar and logout — notice how it doesn't redirect you to login. The instance is fully exposed even though it looked like it was protected. ### Developer Validations - [x] I ran `yarn lint` from the root of the repo & committed changes - [ ] Relevant documentation has been updated (if applicable) - [x] I have tested my code functionality - [ ] Docker build succeeds locally --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-22 18:36:42 -05:00
yindo changed title from [PR #5037] fix: add password character validation to onboarding single-user setup to [PR #5037] [MERGED] fix: add password character validation to onboarding single-user setup 2026-06-05 15:20:48 -04:00
yindo closed this issue 2026-06-05 15:20:48 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#4869