diff --git a/access-key.go b/access-key.go index 72de0f858..2e141e645 100644 --- a/access-key.go +++ b/access-key.go @@ -44,10 +44,10 @@ const ( ) // isValidSecretKey - validate secret key. -var isValidSecretKey = regexp.MustCompile("^.{40}$") +var isValidSecretKey = regexp.MustCompile("^.{8,40}$") // isValidAccessKey - validate access key. -var isValidAccessKey = regexp.MustCompile("^[A-Z0-9\\-\\.\\_\\~]{20}$") +var isValidAccessKey = regexp.MustCompile("^[a-zA-Z0-9\\-\\.\\_\\~]{5,20}$") // mustGenAccessKeys - must generate access credentials. func mustGenAccessKeys() (creds credential) { diff --git a/web-handlers.go b/web-handlers.go index 32d055714..e04aeb38e 100644 --- a/web-handlers.go +++ b/web-handlers.go @@ -311,11 +311,11 @@ func (web *webAPI) SetAuth(r *http.Request, args *SetAuthArgs, reply *SetAuthRep if !isJWTReqAuthenticated(r) { return &json2.Error{Message: "Unauthorized request"} } - if args.AccessKey == "" { - return &json2.Error{Message: "Empty access key not allowed"} + if !isValidAccessKey.MatchString(args.AccessKey) { + return &json2.Error{Message: "Invalid Access Key"} } - if args.SecretKey == "" { - return &json2.Error{Message: "Empty secret key not allowed"} + if !isValidSecretKey.MatchString(args.SecretKey) { + return &json2.Error{Message: "Invalid Secret Key"} } cred := credential{args.AccessKey, args.SecretKey} serverConfig.SetCredential(cred)