Bug Description
In internal/validators/password.go:14-43, the IsValidPassword function accepts isStrongPasswordDisabled parameter but never uses it. Strong password rules (uppercase, lowercase, digit, special char) are always enforced regardless of the parameter value.
Impact
MEDIUM — The EnableStrongPassword config setting has no effect. Users always get strong password requirements even when the admin disables them.
Fix
When isStrongPasswordDisabled is true, only check min/max length, skip character class checks.
Bug Description
In
internal/validators/password.go:14-43, theIsValidPasswordfunction acceptsisStrongPasswordDisabledparameter but never uses it. Strong password rules (uppercase, lowercase, digit, special char) are always enforced regardless of the parameter value.Impact
MEDIUM — The
EnableStrongPasswordconfig setting has no effect. Users always get strong password requirements even when the admin disables them.Fix
When
isStrongPasswordDisabledis true, only check min/max length, skip character class checks.