fix: add configurable minimum password length (#5225)

2025-11-26 14:25:26 +08:00 · 2025-06-28 10:07:34 +02:00
parent 089255997a
commit 464b644adf
21 changed files with 122 additions and 77 deletions
--- a/http/auth.go
+++ b/http/auth.go
@@ -151,7 +151,7 @@ var signupHandler = func(_ http.ResponseWriter, r *http.Request, d *data) (int,

 	d.settings.Defaults.Apply(user)

-	pwd, err := users.HashPwd(info.Password)
+	pwd, err := users.HashAndValidatePwd(info.Password, d.settings.MinimumPasswordLength)
 	if err != nil {
 		return http.StatusInternalServerError, err
 	}
--- a/http/data.go
+++ b/http/data.go
@@ -73,6 +73,9 @@ func handle(fn handleFunc, prefix string, store *storage.Storage, server *settin

 		if status != 0 {
 			txt := http.StatusText(status)
+			if status == http.StatusBadRequest && err != nil {
+				txt += " (" + err.Error() + ")"
+			}
 			http.Error(w, strconv.Itoa(status)+" "+txt, status)
 			return
 		}
--- a/http/settings.go
+++ b/http/settings.go
@@ -9,28 +9,30 @@ import (
 )

 type settingsData struct {
-	Signup           bool                  `json:"signup"`
-	CreateUserDir    bool                  `json:"createUserDir"`
-	UserHomeBasePath string                `json:"userHomeBasePath"`
-	Defaults         settings.UserDefaults `json:"defaults"`
-	Rules            []rules.Rule          `json:"rules"`
-	Branding         settings.Branding     `json:"branding"`
-	Tus              settings.Tus          `json:"tus"`
-	Shell            []string              `json:"shell"`
-	Commands         map[string][]string   `json:"commands"`
+	Signup                bool                  `json:"signup"`
+	CreateUserDir         bool                  `json:"createUserDir"`
+	MinimumPasswordLength uint                  `json:"minimumPasswordLength"`
+	UserHomeBasePath      string                `json:"userHomeBasePath"`
+	Defaults              settings.UserDefaults `json:"defaults"`
+	Rules                 []rules.Rule          `json:"rules"`
+	Branding              settings.Branding     `json:"branding"`
+	Tus                   settings.Tus          `json:"tus"`
+	Shell                 []string              `json:"shell"`
+	Commands              map[string][]string   `json:"commands"`
 }

 var settingsGetHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
 	data := &settingsData{
-		Signup:           d.settings.Signup,
-		CreateUserDir:    d.settings.CreateUserDir,
-		UserHomeBasePath: d.settings.UserHomeBasePath,
-		Defaults:         d.settings.Defaults,
-		Rules:            d.settings.Rules,
-		Branding:         d.settings.Branding,
-		Tus:              d.settings.Tus,
-		Shell:            d.settings.Shell,
-		Commands:         d.settings.Commands,
+		Signup:                d.settings.Signup,
+		CreateUserDir:         d.settings.CreateUserDir,
+		MinimumPasswordLength: d.settings.MinimumPasswordLength,
+		UserHomeBasePath:      d.settings.UserHomeBasePath,
+		Defaults:              d.settings.Defaults,
+		Rules:                 d.settings.Rules,
+		Branding:              d.settings.Branding,
+		Tus:                   d.settings.Tus,
+		Shell:                 d.settings.Shell,
+		Commands:              d.settings.Commands,
 	}

 	return renderJSON(w, r, data)
@@ -45,6 +47,7 @@ var settingsPutHandler = withAdmin(func(_ http.ResponseWriter, r *http.Request,

 	d.settings.Signup = req.Signup
 	d.settings.CreateUserDir = req.CreateUserDir
+	d.settings.MinimumPasswordLength = req.MinimumPasswordLength
 	d.settings.UserHomeBasePath = req.UserHomeBasePath
 	d.settings.Defaults = req.Defaults
 	d.settings.Rules = req.Rules
--- a/http/users.go
+++ b/http/users.go
@@ -125,7 +125,11 @@ var userPostHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *
 		return http.StatusBadRequest, fbErrors.ErrEmptyPassword
 	}

-	req.Data.Password, err = users.HashPwd(req.Data.Password)
+	if len(req.Data.Password) < int(d.settings.MinimumPasswordLength) {
+		return http.StatusBadRequest, fbErrors.ErrShortPassword
+	}
+
+	req.Data.Password, err = users.HashAndValidatePwd(req.Data.Password, d.settings.MinimumPasswordLength)
 	if err != nil {
 		return http.StatusInternalServerError, err
 	}
@@ -163,7 +167,7 @@ var userPutHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 		}

 		if req.Data.Password != "" {
-			req.Data.Password, err = users.HashPwd(req.Data.Password)
+			req.Data.Password, err = users.HashAndValidatePwd(req.Data.Password, d.settings.MinimumPasswordLength)
 		} else {
 			var suser *users.User
 			suser, err = d.store.Users.Get(d.server.Root, d.raw.(uint))
@@ -186,7 +190,11 @@ var userPutHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 				return http.StatusForbidden, nil
 			}

-			req.Data.Password, err = users.HashPwd(req.Data.Password)
+			if len(req.Data.Password) < int(d.settings.MinimumPasswordLength) {
+				return http.StatusBadRequest, fbErrors.ErrShortPassword
+			}
+
+			req.Data.Password, err = users.HashAndValidatePwd(req.Data.Password, d.settings.MinimumPasswordLength)
 			if err != nil {
 				return http.StatusInternalServerError, err
 			}