From fa0a82aab113b99769baeaff73d3f8eeff9fee20 Mon Sep 17 00:00:00 2001
From: Henrique Dias <mail@hacdias.com>
Date: Sun, 29 Jun 2025 11:07:44 +0200
Subject: [PATCH] fix: passthrough the minimum password length

---
 auth/hook.go        |  4 ++--
 auth/proxy.go       |  2 +-
 cmd/root.go         |  2 +-
 cmd/users_add.go    |  2 +-
 cmd/users_update.go |  2 +-
 errors/errors.go    | 14 ++++++++++++--
 http/auth.go        |  4 ++--
 http/users.go       | 28 +++++++++++-----------------
 users/password.go   |  6 +++---
 9 files changed, 34 insertions(+), 30 deletions(-)

diff --git a/auth/hook.go b/auth/hook.go
index 9ccbd2fe..849a923d 100644
--- a/auth/hook.go
+++ b/auth/hook.go
@@ -150,7 +150,7 @@ func (a *HookAuth) SaveUser() (*users.User, error) {
 	}
 
 	if u == nil {
-		pass, err := users.HashAndValidatePwd(a.Cred.Password, a.Settings.MinimumPasswordLength)
+		pass, err := users.ValidateAndHashPwd(a.Cred.Password, a.Settings.MinimumPasswordLength)
 		if err != nil {
 			return nil, err
 		}
@@ -186,7 +186,7 @@ func (a *HookAuth) SaveUser() (*users.User, error) {
 
 		// update the password when it doesn't match the current
 		if p {
-			pass, err := users.HashAndValidatePwd(a.Cred.Password, a.Settings.MinimumPasswordLength)
+			pass, err := users.ValidateAndHashPwd(a.Cred.Password, a.Settings.MinimumPasswordLength)
 			if err != nil {
 				return nil, err
 			}
diff --git a/auth/proxy.go b/auth/proxy.go
index 61312f1a..301aa292 100644
--- a/auth/proxy.go
+++ b/auth/proxy.go
@@ -35,7 +35,7 @@ func (a ProxyAuth) createUser(usr users.Store, setting *settings.Settings, srv *
 	}
 
 	var hashedRandomPassword string
-	hashedRandomPassword, err = users.HashAndValidatePwd(pwd, setting.MinimumPasswordLength)
+	hashedRandomPassword, err = users.ValidateAndHashPwd(pwd, setting.MinimumPasswordLength)
 	if err != nil {
 		return nil, err
 	}
diff --git a/cmd/root.go b/cmd/root.go
index c2ee7c73..4b6819b7 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -432,7 +432,7 @@ func quickSetup(flags *pflag.FlagSet, d pythonData) {
 
 		log.Println("Randomly generated password for user 'admin':", pwd)
 
-		password, err = users.HashAndValidatePwd(pwd, set.MinimumPasswordLength)
+		password, err = users.ValidateAndHashPwd(pwd, set.MinimumPasswordLength)
 		checkErr(err)
 	}
 
diff --git a/cmd/users_add.go b/cmd/users_add.go
index 4b344107..c3b8af28 100644
--- a/cmd/users_add.go
+++ b/cmd/users_add.go
@@ -21,7 +21,7 @@ var usersAddCmd = &cobra.Command{
 		checkErr(err)
 		getUserDefaults(cmd.Flags(), &s.Defaults, false)
 
-		password, err := users.HashAndValidatePwd(args[1], s.MinimumPasswordLength)
+		password, err := users.ValidateAndHashPwd(args[1], s.MinimumPasswordLength)
 		checkErr(err)
 
 		user := &users.User{
diff --git a/cmd/users_update.go b/cmd/users_update.go
index aa06abee..2c58c4af 100644
--- a/cmd/users_update.go
+++ b/cmd/users_update.go
@@ -66,7 +66,7 @@ options you want to change.`,
 		}
 
 		if password != "" {
-			user.Password, err = users.HashAndValidatePwd(password, s.MinimumPasswordLength)
+			user.Password, err = users.ValidateAndHashPwd(password, s.MinimumPasswordLength)
 			checkErr(err)
 		}
 
diff --git a/errors/errors.go b/errors/errors.go
index 7bb10e81..ca7121e4 100644
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -1,13 +1,15 @@
 package errors
 
-import "errors"
+import (
+	"errors"
+	"fmt"
+)
 
 var (
 	ErrEmptyKey             = errors.New("empty key")
 	ErrExist                = errors.New("the resource already exists")
 	ErrNotExist             = errors.New("the resource does not exist")
 	ErrEmptyPassword        = errors.New("password is empty")
-	ErrShortPassword        = errors.New("password is too short")
 	ErrEmptyUsername        = errors.New("username is empty")
 	ErrEmptyRequest         = errors.New("empty request")
 	ErrScopeIsRelative      = errors.New("scope is a relative path")
@@ -20,3 +22,11 @@ var (
 	ErrSourceIsParent       = errors.New("source is parent")
 	ErrRootUserDeletion     = errors.New("user with id 1 can't be deleted")
 )
+
+type ErrShortPassword struct {
+	MinimumLength uint
+}
+
+func (e ErrShortPassword) Error() string {
+	return fmt.Sprintf("password is too short, minimum length is %d", e.MinimumLength)
+}
diff --git a/http/auth.go b/http/auth.go
index 54f5fe9b..304762c8 100644
--- a/http/auth.go
+++ b/http/auth.go
@@ -151,9 +151,9 @@ var signupHandler = func(_ http.ResponseWriter, r *http.Request, d *data) (int,
 
 	d.settings.Defaults.Apply(user)
 
-	pwd, err := users.HashAndValidatePwd(info.Password, d.settings.MinimumPasswordLength)
+	pwd, err := users.ValidateAndHashPwd(info.Password, d.settings.MinimumPasswordLength)
 	if err != nil {
-		return http.StatusInternalServerError, err
+		return http.StatusBadRequest, err
 	}
 
 	user.Password = pwd
diff --git a/http/users.go b/http/users.go
index 5eea184e..4185e82e 100644
--- a/http/users.go
+++ b/http/users.go
@@ -125,13 +125,9 @@ var userPostHandler = withAdmin(func(w http.ResponseWriter, r *http.Request, d *
 		return http.StatusBadRequest, fbErrors.ErrEmptyPassword
 	}
 
-	if len(req.Data.Password) < int(d.settings.MinimumPasswordLength) {
-		return http.StatusBadRequest, fbErrors.ErrShortPassword
-	}
-
-	req.Data.Password, err = users.HashAndValidatePwd(req.Data.Password, d.settings.MinimumPasswordLength)
+	req.Data.Password, err = users.ValidateAndHashPwd(req.Data.Password, d.settings.MinimumPasswordLength)
 	if err != nil {
-		return http.StatusInternalServerError, err
+		return http.StatusBadRequest, err
 	}
 
 	userHome, err := d.settings.MakeUserDir(req.Data.Username, req.Data.Scope, d.server.Root)
@@ -167,17 +163,19 @@ var userPutHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 		}
 
 		if req.Data.Password != "" {
-			req.Data.Password, err = users.HashAndValidatePwd(req.Data.Password, d.settings.MinimumPasswordLength)
+			req.Data.Password, err = users.ValidateAndHashPwd(req.Data.Password, d.settings.MinimumPasswordLength)
+			if err != nil {
+				return http.StatusBadRequest, err
+			}
 		} else {
 			var suser *users.User
 			suser, err = d.store.Users.Get(d.server.Root, d.raw.(uint))
+			if err != nil {
+				return http.StatusInternalServerError, err
+			}
 			req.Data.Password = suser.Password
 		}
 
-		if err != nil {
-			return http.StatusInternalServerError, err
-		}
-
 		req.Which = []string{}
 	}
 
@@ -190,13 +188,9 @@ var userPutHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 				return http.StatusForbidden, nil
 			}
 
-			if len(req.Data.Password) < int(d.settings.MinimumPasswordLength) {
-				return http.StatusBadRequest, fbErrors.ErrShortPassword
-			}
-
-			req.Data.Password, err = users.HashAndValidatePwd(req.Data.Password, d.settings.MinimumPasswordLength)
+			req.Data.Password, err = users.ValidateAndHashPwd(req.Data.Password, d.settings.MinimumPasswordLength)
 			if err != nil {
-				return http.StatusInternalServerError, err
+				return http.StatusBadRequest, err
 			}
 		}
 
diff --git a/users/password.go b/users/password.go
index 7260f2c3..b36e780c 100644
--- a/users/password.go
+++ b/users/password.go
@@ -9,10 +9,10 @@ import (
 	fbErrors "github.com/filebrowser/filebrowser/v2/errors"
 )
 
-// HashPwd hashes a password.
-func HashAndValidatePwd(password string, minimumLength uint) (string, error) {
+// ValidateAndHashPwd validates and hashes a password.
+func ValidateAndHashPwd(password string, minimumLength uint) (string, error) {
 	if uint(len(password)) < minimumLength {
-		return "", fbErrors.ErrShortPassword
+		return "", fbErrors.ErrShortPassword{MinimumLength: minimumLength}
 	}
 
 	return HashPwd(password)