fix(auth): centralize password and username validation constants (#4120)

Added PASSWORD_MIN_LENGTH and RESERVED_USERNAMES to src/constants.py as the single source of truth. Previously PASSWORD_MIN_LENGTH was hardcoded as 8 in four route handlers and all three JS validation paths; RESERVED_USERNAMES was an inline frozenset duplicated in core/auth.py, routes/assistant_routes.py, routes/research_routes.py, and src/task_scheduler.py. Added GET /api/auth/policy (unauthenticated) so the frontend reads the real values from the server instead of hardcoding them in JS. Added missing empty-username guard to /setup and admin POST /users. Both returned a misleading 500/409 on whitespace-only input. /signup already had the check; this makes all three consistent.
2026-06-24 05:35:31 -04:00 · 2026-06-16 02:52:15 -05:00
parent 2b519bf355
commit ee72d71872
12 changed files with 327 additions and 30 deletions
@@ -16,8 +16,9 @@ sys.path.insert(0, BASE_DIR)
 from src.constants import (
    DATA_DIR, AUTH_FILE, UPLOAD_DIR, PERSONAL_DIR, PERSONAL_UPLOADS_DIR,
    TTS_CACHE_DIR, GENERATED_IMAGES_DIR, DEEP_RESEARCH_DIR, CHROMA_DIR,
-    RAG_DIR, MEMORY_VECTORS_DIR,
+    RAG_DIR, MEMORY_VECTORS_DIR, PASSWORD_MIN_LENGTH,
 )
+from core.auth import RESERVED_USERNAMES

 DIRS = [
    DATA_DIR,
@@ -59,15 +60,23 @@ def _prompt_admin_credentials():
    print("  (Press Enter to accept defaults)")
    print()

-    username = input("  Username [admin]: ").strip().lower()
-    if not username:
-        username = "admin"
+    while True:
+        username = input("  Username [admin]: ").strip().lower()
+        if not username:
+            username = "admin"
+        if username in RESERVED_USERNAMES:
+            print(f"  '{username}' is a reserved username. Choose another.")
+            continue
+        break

    while True:
        password = getpass.getpass("  Password: ")
        if not password:
            print("  Password cannot be empty.")
            continue
+        if len(password) < PASSWORD_MIN_LENGTH:
+            print(f"  Password must be at least {PASSWORD_MIN_LENGTH} characters.")
+            continue
        confirm = getpass.getpass("  Confirm password: ")
        if password != confirm:
            print("  Passwords don't match. Try again.")
@@ -93,8 +102,13 @@ def create_default_admin():
        password = os.getenv("ODYSSEUS_ADMIN_PASSWORD", "").strip()

        if username and password:
-            # Both provided via env — use them directly
-            pass
+            # Both provided via env — validate before using
+            if username in RESERVED_USERNAMES:
+                print(f"  [error] ODYSSEUS_ADMIN_USER '{username}' is a reserved username")
+                return "failed"
+            if len(password) < PASSWORD_MIN_LENGTH:
+                print(f"  [error] ODYSSEUS_ADMIN_PASSWORD must be at least {PASSWORD_MIN_LENGTH} characters")
+                return "failed"
        elif sys.stdin.isatty() and not os.getenv("ODYSSEUS_SKIP_ADMIN_PROMPT"):
            # Interactive terminal — ask the user
            username, password = _prompt_admin_credentials()