From cb31e628e5dccdcd369edb30f491238bf03f75cb Mon Sep 17 00:00:00 2001
From: appleboy <appleboy.tw@gmail.com>
Date: Sat, 16 Dec 2023 22:16:03 +0800
Subject: [PATCH 1/3] refactor: refactor user authentication and data
 validation

- Modify the `Password` field in `CreateUserOption` struct to remove the `Required` tag
- Update the `v1_json.tmpl` template to include the `email` field and remove the `password` field

Signed-off-by: appleboy <appleboy.tw@gmail.com>
---
 modules/structs/admin_user.go  | 5 ++---
 templates/swagger/v1_json.tmpl | 3 +--
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/modules/structs/admin_user.go b/modules/structs/admin_user.go
index 4d679c81d0017..f7c6d10ba0f83 100644
--- a/modules/structs/admin_user.go
+++ b/modules/structs/admin_user.go
@@ -15,9 +15,8 @@ type CreateUserOption struct {
 	FullName string `json:"full_name" binding:"MaxSize(100)"`
 	// required: true
 	// swagger:strfmt email
-	Email string `json:"email" binding:"Required;Email;MaxSize(254)"`
-	// required: true
-	Password           string `json:"password" binding:"Required;MaxSize(255)"`
+	Email              string `json:"email" binding:"Required;Email;MaxSize(254)"`
+	Password           string `json:"password" binding:"MaxSize(255)"`
 	MustChangePassword *bool  `json:"must_change_password"`
 	SendNotify         bool   `json:"send_notify"`
 	Restricted         *bool  `json:"restricted"`
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 6cf2beafec6e8..215c1692f61a0 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -18406,8 +18406,7 @@
       "type": "object",
       "required": [
         "username",
-        "email",
-        "password"
+        "email"
       ],
       "properties": {
         "created_at": {

From 4d1492769b363b30d10418c720bbff630b827f58 Mon Sep 17 00:00:00 2001
From: appleboy <appleboy.tw@gmail.com>
Date: Sat, 16 Dec 2023 23:18:25 +0800
Subject: [PATCH 2/3] feat: add password validation to CreateUser function

- Add validation for password requirement in CreateUser function

Signed-off-by: appleboy <appleboy.tw@gmail.com>
---
 routers/api/v1/admin/user.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index 09d7c1a9403a9..3d47891b28a67 100644
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -93,6 +93,13 @@ func CreateUser(ctx *context.APIContext) {
 	if ctx.Written() {
 		return
 	}
+
+	if u.LoginType == auth.Plain && len(form.Password) == 0 {
+		err := errors.New("PasswordIsRequired")
+		ctx.Error(http.StatusBadRequest, "PasswordIsRequired", err)
+		return
+	}
+
 	if !password.IsComplexEnough(form.Password) {
 		err := errors.New("PasswordComplexity")
 		ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)

From dea9c50baaac294a6c10ffd2317583980893c290 Mon Sep 17 00:00:00 2001
From: Bo-Yi Wu <appleboy.tw@gmail.com>
Date: Mon, 18 Dec 2023 14:28:22 +0800
Subject: [PATCH 3/3] feat: refactor user authentication and password handling
 in CreateUser function

- Modify the condition for `u.LoginType` and `form.Password` in `CreateUser` function
- Add an empty line in `CreateUser` function

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
---
 routers/api/v1/admin/user.go | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index 3d47891b28a67..91b5f3a1b0b64 100644
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -94,24 +94,27 @@ func CreateUser(ctx *context.APIContext) {
 		return
 	}
 
-	if u.LoginType == auth.Plain && len(form.Password) == 0 {
-		err := errors.New("PasswordIsRequired")
-		ctx.Error(http.StatusBadRequest, "PasswordIsRequired", err)
-		return
-	}
+	if u.LoginType == auth.Plain {
+		if len(form.Password) < setting.MinPasswordLength {
+			err := errors.New("PasswordIsRequired")
+			ctx.Error(http.StatusBadRequest, "PasswordIsRequired", err)
+			return
+		}
 
-	if !password.IsComplexEnough(form.Password) {
-		err := errors.New("PasswordComplexity")
-		ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)
-		return
-	}
-	pwned, err := password.IsPwned(ctx, form.Password)
-	if pwned {
-		if err != nil {
-			log.Error(err.Error())
+		if !password.IsComplexEnough(form.Password) {
+			err := errors.New("PasswordComplexity")
+			ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)
+			return
+		}
+
+		pwned, err := password.IsPwned(ctx, form.Password)
+		if pwned {
+			if err != nil {
+				log.Error(err.Error())
+			}
+			ctx.Error(http.StatusBadRequest, "PasswordPwned", errors.New("PasswordPwned"))
+			return
 		}
-		ctx.Error(http.StatusBadRequest, "PasswordPwned", errors.New("PasswordPwned"))
-		return
 	}
 
 	overwriteDefault := &user_model.CreateUserOverwriteOptions{