Skip to content

fix(ui): Redirect users with long imported passwords to reset password#7617

Draft
dmoerner wants to merge 2 commits intomainfrom
daniel/user-4417-update-the-ui-to-catch-password-too-long-to-migrate-error
Draft

fix(ui): Redirect users with long imported passwords to reset password#7617
dmoerner wants to merge 2 commits intomainfrom
daniel/user-4417-update-the-ui-to-catch-password-too-long-to-migrate-error

Conversation

@dmoerner
Copy link
Contributor

@dmoerner dmoerner commented Jan 17, 2026
edited by coderabbitai bot
Loading

Description

User passwords imported with insecure hashers are automatically migrated to bcrypt by the Clerk backend. However, there is a maximum length to a bcrypt password because hashing is computationally intensive. Users with too long imported passwords would encounter an error on login. The backend error handling has been improved for this case; capture the backend error and direct the user to the reset password flow.

Feedback on the exact text would be welcome; I felt that a title like "Password too long" was weird and used the more generic "Password must be reset", but I'm happy to adjust this.

Fixes USER-4417

Before:

image

After:

Screenshot 2026-01-17 at 13-04-04 My account My Application

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Summary by CodeRabbit

  • New Features
    • Added a flow that prompts imported users with overly long passwords to reset their password.
    • Users see a "Password must be reset" message and are guided to reset via email or SMS.
    • Sign-in UI and error messaging updated to surface the long-password recovery prompt.

✏️ Tip: You can customize this high-level summary in your review settings.

@dmoerner
feat(ui): Redirect users with long imported passwords to reset password
cb78dd3 
User passwords imported with insecure hashers are automatically migrated
to bcrypt by the Clerk backend. However, there is a maximum length to a
bcrypt password because hashing is computationally intensive. Users with
too long imported passwords would encounter an error on login. The
backend error handling has been improved for this case; capture the
backend error and direct the user to the reset password flow.
@changeset-bot
Copy link

changeset-bot bot commented Jan 17, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 6b11fe6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@clerk/ui Minor
@clerk/chrome-extension Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Jan 17, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jan 20, 2026 6:20pm

Request Review

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 17, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request adds handling for the password_too_long_needs_reset error across the authentication UI. It introduces an isPasswordTooLongError helper, expands localization with a signIn.passwordTooLong.title and corresponding unstable error message, adds a passwordTooLong AlternativeMethodsMode, updates sign-in components to route to a reset flow for that error, and includes tests covering email and phone reset flows.

🚥 Pre-merge checks | ✅ 4 | ❌ 1
❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely summarizes the main change: redirecting users with long imported passwords to password reset.
Linked Issues check ✅ Passed All objectives from USER-4417 are met: the PR detects the password_too_long_needs_reset error, updates UI components to handle it, and directs users to reset-password flow like compromised passwords.
Out of Scope Changes check ✅ Passed All changes are scoped to handling the password_too_long_needs_reset error and implementing the reset-password flow; no unrelated modifications detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 17, 2026
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7617

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7617

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7617

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7617

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7617

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7617

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7617

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7617

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7617

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7617

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7617

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7617

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7617

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7617

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7617

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7617

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7617

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7617

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7617

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7617

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7617

commit: 6b11fe6

@dmoerner dmoerner marked this pull request as draft January 20, 2026 20:37
@dmoerner
Copy link
Contributor Author

dmoerner commented Jan 20, 2026

Switching to draft: This PR currently still requires email code reverification (or similar) in most flows as a condition of resetting the password. This should not actually be necessary for passwords of this length. Investigate directly taking the user to the reset password page.

Also, note: Will need to regenerate localizations pnpm --filter @clerk/localizations generate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core-3 localizations

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dmoerner