Truncate password to 55 bytes

src/invidious.cr

@@ -1073,7 +1073,7 @@ post "/login" do |env|
         next templated "error"
       end
 
-      if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password
+      if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password.byte_slice(0, 55)
         sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
         PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)
 
@@ -1107,6 +1107,19 @@ post "/login" do |env|
         next templated "error"
       end
 
+      if password.empty?
+        error_message = translate(locale, "Password cannot be empty")
+        next templated "error"
+      end
+
+      # See https://security.stackexchange.com/a/39851
+      if password.bytesize > 55
+        error_message = translate(locale, "Password should not be longer than 55 characters")
+        next templated "error"
+      end
+
+      password = password.byte_slice(0, 55)
+
       if config.captcha_enabled
         captcha_type = env.params.body["captcha_type"]?
         answer = env.params.body["answer"]?
@@ -1168,17 +1181,6 @@ post "/login" do |env|
         end
       end
 
-      if password.empty?
-        error_message = translate(locale, "Password cannot be empty")
-        next templated "error"
-      end
-
-      # See https://security.stackexchange.com/a/39851
-      if password.size > 55
-        error_message = translate(locale, "Password cannot be longer than 55 characters")
-        next templated "error"
-      end
-
       sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
       user, sid = create_user(sid, email, password)
       user_array = user.to_a