Upload your own secret feature silently truncates secrets to 30 characters

[spantaleev]

Expected behavior and actual behavior:

When going into your User Profile -> CLI secret -> ... -> Upload your own secret button, there's no indication as to what the secret should look like.

I've used a 64 characters secret (which I'm used to generating with pwgen -s 64 1) and it seemed to accept it.

Later on, I tried to authenticate (docker login ..) and saw that it was rejecting my secret.

So I copied the value from the CLI secret field using the Copy button. To my surprise, my secret was shortened to 30 characters.
I could successfully authenticate with this shortened secret.

Inspecting the inputs fields for specifying these new secrets, I noticed that there's size="30" maxlength="30" on them, so it seems like my secret is being cut off in the browser (regardless of what the server may or may not support).

I think that:

• secrets longer than 30 characters are common and restricting to 30 characters is not great
• if there would be a limit (regardless of what it is), it should probably be shown near the input fields
• if the user pastes something longer than the limit, it should not be silently cut off, but rather should show a validation error (and likely even leave the field empty instead of having it contain a truncated value)
• similarly, when manually entering characters (instead of pasting), a validation error should be shown

💡 Since this could be difficult to fix, an easy fix that would go a long way would be: detect if the field currently contains 30 characters and show a warning:

You're at the limit of what this field supports (30 characters). If you've tried to use a longer secret, do know that it had been auto-truncated to the first 30 characters.

Versions:

• Harbor version: v2.12.2-73072d0d
• Running on Kubernetes (installed via the official Helm Chart)