cthit · Portals · Oct 22, 2025 · Oct 21, 2025
@@ -3,13 +3,13 @@ buildscript {
         mavenCentral()
     }
     dependencies {
-        classpath "org.springframework.boot:spring-boot-gradle-plugin:3.4.1"
+        classpath "org.springframework.boot:spring-boot-gradle-plugin:3.5.6"
     }
 }
 
 plugins {
     id "java"
-    id "org.springframework.boot" version "3.4.1"
+    id "org.springframework.boot" version "3.5.6"
     id "io.spring.dependency-management" version "1.1.7"
     id "com.diffplug.spotless" version "6.25.0"
 }
@@ -38,32 +38,32 @@ dependencies {
             "org.postgresql:postgresql:42.7.3",
 
             // Spring Boot
-            "org.springframework.boot:spring-boot:3.4.1",
-            "org.springframework.boot:spring-boot-autoconfigure:3.4.1",
-            "org.springframework.boot:spring-boot-starter-data-jpa:3.4.1",
-            "org.springframework.boot:spring-boot-starter-security:3.4.1",
-            "org.springframework.boot:spring-boot-starter-validation:3.4.1",
-            "org.springframework.boot:spring-boot-starter-web:3.4.1",
-            "org.springframework.boot:spring-boot-starter-oauth2-authorization-server:3.4.1",
+            "org.springframework.boot:spring-boot:3.5.6",
+            "org.springframework.boot:spring-boot-autoconfigure:3.5.6",
+            "org.springframework.boot:spring-boot-starter-data-jpa:3.5.2",
+            "org.springframework.boot:spring-boot-starter-security:3.5.6",
+            "org.springframework.boot:spring-boot-starter-validation:3.5.6",
+            "org.springframework.boot:spring-boot-starter-web:3.5.6",
+            "org.springframework.boot:spring-boot-starter-oauth2-authorization-server:3.5.6",
 
             // Spring session
-            "org.springframework.session:spring-session-core:3.4.1",
-            "org.springframework.session:spring-session-data-redis:3.4.1",
+            "org.springframework.session:spring-session-core:3.5.2",
+            "org.springframework.session:spring-session-data-redis:3.5.2",
 
             // Redis
-            "org.springframework.data:spring-data-redis:3.4.1",
+            "org.springframework.data:spring-data-redis:3.5.5",
     )
 
    runtimeOnly(
             // FlywayDB (Database migration)
             "org.flywaydb:flyway-core:9.21.0",
 
             // Spring Boot
-            "org.springframework.boot:spring-boot-devtools:3.4.1",
-            "org.springframework.boot:spring-boot-starter-data-redis:3.4.1",
+            "org.springframework.boot:spring-boot-devtools:3.5.6",
+            "org.springframework.boot:spring-boot-starter-data-redis:3.5.6",
 
             // Thymeleaf
-            "org.springframework.boot:spring-boot-starter-thymeleaf:3.4.1",
+            "org.springframework.boot:spring-boot-starter-thymeleaf:3.5.6",
             "org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.2.RELEASE",
 
             // web dependencies

@@ -164,7 +164,9 @@ public ModelAndView editPassword(
             new MeFacade.UpdatePassword(
                 form.currentPassword, form.newPassword, form.confirmNewPassword));
       }
-    } catch (IllegalArgumentException | MeFacade.NewPasswordNotConfirmedException e) {
+    } catch (IllegalArgumentException e) {
+      bindingResult.addError(new FieldError("form", "newPassword", e.getMessage()));
+    } catch (MeFacade.NewPasswordNotConfirmedException e) {
       bindingResult.addError(
           new FieldError("form", "confirmNewPassword", "Passwords were not the same"));
     } catch (MeFacade.PasswordIncorrectException e) {

@@ -9,6 +9,10 @@ public final class Tokens {
   private Tokens() {}
 
   public static String generate(int length, CharacterTypes... types) {
+    if (length > 72) {
+      throw new IllegalArgumentException("length must be less than 72");
+    }
+
     String characters =
         Arrays.stream(types).map(CharacterTypes::getCharacters).collect(Collectors.joining());
     SecureRandom rand = new SecureRandom();

@@ -12,6 +12,6 @@ public record UserActivationToken(String value) {
   }
 
   public static UserActivationToken generate() {
-    return new UserActivationToken(Tokens.generate(100, UPPERCASE, NUMBERS, LOWERCASE));
+    return new UserActivationToken(Tokens.generate(72, UPPERCASE, NUMBERS, LOWERCASE));
   }
 }
@@ -12,6 +12,6 @@ public record PasswordResetToken(String value) {
   }
 
   public static PasswordResetToken generate() {
-    return new PasswordResetToken(Tokens.generate(100, UPPERCASE, NUMBERS, LOWERCASE));
+    return new PasswordResetToken(Tokens.generate(72, UPPERCASE, NUMBERS, LOWERCASE));
   }
 }
@@ -63,7 +63,7 @@ public void ensureAnAdminUser() {
     } else {
       password =
           Tokens.generate(
-              75,
+              72,
               Tokens.CharacterTypes.LOWERCASE,
               Tokens.CharacterTypes.UPPERCASE,
               Tokens.CharacterTypes.NUMBERS);