fix(iam): [P0] no password strength validation on signup — any single-character password accepted

Question

Question

Grade: Education Subject: Keith-CY 1-tok

Asked by: USER3439

97 Viewed 97 Answers

Answer (97)

USER5433

(4270)

**Answer:**
Problem:

In internal/services/iam/server.go:handleSignup (line ~99), the password validation is only checking that it is non-empty after trimming. This means users can sign up with weak passwords like "a" or "1". For a financial platform handling transactions (invoices, settlements, credit decisions), this is a critical security gap. Attackers can easily brute-force accounts. Additionally, there is no email format validation in place, allowing any non-empty string to be accepted as an email address.

Files:

internal/services/iam/server.go:handleSignup: missing password complexity check

internal/services/iam/server.go:validSignupPayload: only checks non-empty

internal/identity/store.go:CreateSignup (MemoryStore): no validation at store level either

Suggested Fix:

Add password strength requirements (minimum 8 characters, at least one letter + one digit)

Add basic email format validation (must contain `@` with non-empty local and domain parts)

Consider adding these as package-level validation functions in `internal/identity/` so both memory and postgres paths share them

Add tests for rejected weak passwords and malformed emails

func validatePassword(password string) error { if len(password) < 8 { return errors.New("password must be at least 8 characters") } var hasLetter, hasDigit bool for _, c := range password { if unicode.IsLetter(c) { hasLetter = true } if unicode.IsDigit(c) { hasDigit = true } } if !hasLetter || !hasDigit { return errors.New("password must contain at least one letter and one digit") } return nil }

Priority:

~~P0: Direct financial platform security risk. Weak credentials enable account takeover.~~

Answer:

Problem:

The problem lies in internal/services/iam/server.go:handleSignup (line ~99), where password validation is only checking for an empty password. This results in weak passwords, such as "a" and "1", being accepted during the sign-up process. Given the financial nature of the platform, handling transactions (invoices, settlements, credit decisions), this security gap poses a significant risk. Furthermore, email format validation is missing, allowing any non-empty string to be accepted as an email address.

Files:

internal/services/iam/server.go:handleSignup: missing password complexity check
internal/services/iam/server.go:validSignupPayload: only checks non-empty
internal/identity/store.go:CreateSignup (MemoryStore): no validation at store level either

Suggested Fix:

Add password strength requirements (minimum 8 characters, at least one letter + one digit)
Add basic email format validation (must contain `@` with non-empty local and domain parts)
Consider adding these as package-level validation functions in `internal/identity/` so both memory and postgres paths share them
Add tests for rejected weak passwords and malformed emails

func validatePassword(password string) error {
    if len(password) < 8 {
        return errors.New("password must be at least 8 characters")
    }
    var hasLetter, hasDigit bool
    for _, c := range password {
        if unicode.IsLetter(c) { hasLetter = true }
        if unicode.IsDigit(c) { hasDigit = true }
    }
    if !hasLetter || !hasDigit {
        return errors.New("password must contain at least one letter and one digit")
    }
    return nil
}

Priority:

P0: This is a high-priority issue as it poses a direct security risk to the financial platform due to weak credentials enabling account takeover.

Answered on 13 Maret 2026

USER9317 · Accepted Answer

Problem

In internal/services/iam/server.go:handleSignup (line ~99), the only password validation is checking that it is non-empty after trimming:

func validSignupPayload(email, password, name, organizationName, organizationKind string) bool {
    if strings.TrimSpace(email) == "" || strings.TrimSpace(password) == "" || strings.TrimSpace(name) == "" {

This means users can sign up with passwords like "a" or "1". For a platform handling financial transactions (invoices, settlements, credit decisions), this is a critical security gap. Attackers can trivially brute-force accounts.

Additionally, there is no email format validation — any non-empty string is accepted as an email address.

Files

internal/services/iam/server.go:handleSignup — missing password complexity check
internal/services/iam/server.go:validSignupPayload — only checks non-empty
internal/identity/store.go:CreateSignup (MemoryStore) — no validation at store level either

Suggested Fix

Add password strength requirements (minimum 8 chars, at least one letter + one digit)
Add basic email format validation (must contain @ with non-empty local and domain parts)
Consider adding these as package-level validation functions in internal/identity/ so both memory and postgres paths share them
Add tests for rejected weak passwords and malformed emails

func validatePassword(password string) error {
    if len(password) < 8 {
        return errors.New("password must be at least 8 characters")
    }
    var hasLetter, hasDigit bool
    for _, c := range password {
        if unicode.IsLetter(c) { hasLetter = true }
        if unicode.IsDigit(c) { hasDigit = true }
    }
    if !hasLetter || !hasDigit {
        return errors.New("password must contain at least one letter and one digit")
    }
    return nil
}

Priority

P0 — Direct financial platform security risk. Weak credentials enable account takeover.

Answered on 13 Maret 2026

fix(iam): [P0] no password strength validation on signup — any single-character password accepted

Question

Answer (97)

Problem

Files

Suggested Fix

Priority

Related Articles

Area Sales Promotion Supervisor - Sumatra Selatan

Costing Supervisor

Content Creator (Flimbeauty)

Question 8 Which of the following allows the administrator to write, manage, and compile PowerShell Desired State Configuration (DSC) scripts? - Hybrid Runbook Worker agent - Change Tracking and Inventory - Azure Automation State Configuration - Hybrid Runbook Worker Group

At 25 seconds, a butterfly was traveling south. What was its velocity?

5. Mr. Williams had 36 guests at his house for a party. Each guest brought one item. How many brought chips? 1/3 brought drinks, 1 brought a dessert, and the rest brought chips - Number only please. *

For each part below, solve the equation. (a) Solve for $x$. $4(x+2)-x=2(x-1)+9$ Options: No solution $x=$ All real numbers are solutions (b) Solve for $v$. $-4(v+1)+6 v=2(v+2)-8$ Options: No solution $v=$ All real numbers are solutions

Consider the following function: $f(x)=\frac{25-x^2}{x^2-4 x-5}$ Which of the following are correct? Check all of the boxes that apply. │ $m \neq n$ │ $m=n$ │ There is only one vertical asymptote. │ $y=-1$ is the horizontal asymptote.

Recommended Articles

Lowongan Kerja Terbaru (Maret 2026)

Wahyu Widagdo Purnomo | AVP | Tech Builder | Corporate Athlete

Cheat Point Blank Pekalongan

Question 8
Which of the following allows the administrator to write, manage, and compile PowerShell Desired State Configuration (DSC) scripts?
- Hybrid Runbook Worker agent
- Change Tracking and Inventory
- Azure Automation State Configuration
- Hybrid Runbook Worker Group

5. Mr. Williams had 36 guests at his house for a party. Each guest brought
one item. How many brought chips? 1/3 brought drinks, 1 brought a
dessert, and the rest brought chips - Number only please. *

For each part below, solve the equation.

(a) Solve for $x$.
$4(x+2)-x=2(x-1)+9$
Options:
No solution
$x=$
All real numbers are solutions

(b) Solve for $v$.
$-4(v+1)+6 v=2(v+2)-8$
Options:
No solution
$v=$
All real numbers are solutions

Consider the following function:
$f(x)=\frac{25-x^2}{x^2-4 x-5}$

Which of the following are correct? Check all of the boxes that apply.
│ $m \neq n$
│ $m=n$
│ There is only one vertical asymptote.
│ $y=-1$ is the horizontal asymptote.