security: enforce min length for user password (#1555)

* fix typing on auth context * extract user password strength meter * fix broken useToggle method * extend form to accept arguments for validators * enforce password length on update * fix user password change form
2026-01-03 23:51:22 -05:00 · 2022-08-13 21:38:26 -08:00
parent b3c41a4bd0
commit 54c4f19a5c
9 changed files with 105 additions and 95 deletions
--- a/mealie/routes/users/crud.py
+++ b/mealie/routes/users/crud.py
@@ -58,6 +58,23 @@ class UserController(BaseUserController):
    def get_logged_in_user(self):
        return self.user

+    @user_router.put("/password")
+    def update_password(self, password_change: ChangePassword):
+        """Resets the User Password"""
+        if not verify_password(password_change.current_password, self.user.password):
+            raise HTTPException(status.HTTP_400_BAD_REQUEST, ErrorResponse.respond("Invalid current password"))
+
+        self.user.password = hash_password(password_change.new_password)
+        try:
+            self.repos.users.update_password(self.user.id, self.user.password)
+        except Exception as e:
+            raise HTTPException(
+                status.HTTP_400_BAD_REQUEST,
+                ErrorResponse.respond("Failed to update password"),
+            ) from e
+
+        return SuccessResponse.respond("Password updated")
+
    @user_router.put("/{item_id}")
    def update_user(self, item_id: UUID4, new_data: UserBase):
        assert_user_change_allowed(item_id, self.user)
@@ -83,20 +100,3 @@ class UserController(BaseUserController):
            ) from e

        return SuccessResponse.respond("User updated")
-
-    @user_router.put("/password")
-    def update_password(self, password_change: ChangePassword):
-        """Resets the User Password"""
-        if not verify_password(password_change.current_password, self.user.password):
-            raise HTTPException(status.HTTP_400_BAD_REQUEST, ErrorResponse.respond("Invalid current password"))
-
-        self.user.password = hash_password(password_change.new_password)
-        try:
-            self.repos.users.update_password(self.user.id, self.user.password)
-        except Exception as e:
-            raise HTTPException(
-                status.HTTP_400_BAD_REQUEST,
-                ErrorResponse.respond("Failed to update password"),
-            ) from e
-
-        return SuccessResponse.respond("Password updated")
--- a/mealie/schema/user/user.py
+++ b/mealie/schema/user/user.py
@@ -3,7 +3,7 @@ from pathlib import Path
 from typing import Any, Optional
 from uuid import UUID

-from pydantic import UUID4, validator
+from pydantic import UUID4, Field, validator
 from pydantic.types import constr
 from pydantic.utils import GetterDict

@@ -49,7 +49,7 @@ class DeleteTokenResponse(MealieModel):

 class ChangePassword(MealieModel):
    current_password: str
-    new_password: str
+    new_password: str = Field(..., min_length=8)


 class GroupBase(MealieModel):