Harden app security controls from audit

Endpoints/AuthValidator.cs

@@ -7,6 +7,8 @@ internal static class AuthValidator
     public const int MaxUsernameLength = 24;
     public const int MaxDisplayNameLength = 16;
     public const int MaxAdminKeyLength = 128;
+    public const int MinPasswordLength = 8;
+    public const int MaxPasswordLength = 128;
 
     public static bool TryValidateRegistration(RegisterRequest request, out ValidatedRegistration validated, out string error)
     {
@@ -25,6 +27,25 @@ internal static class AuthValidator
             return false;
         }
 
+        var password = request.Password.Trim();
+        if (password.Length < MinPasswordLength || password.Length > MaxPasswordLength)
+        {
+            validated = default;
+            error = $"Password must be between {MinPasswordLength} and {MaxPasswordLength} characters.";
+            return false;
+        }
+
+        var hasUpper = password.Any(char.IsUpper);
+        var hasLower = password.Any(char.IsLower);
+        var hasDigit = password.Any(char.IsDigit);
+        var hasSymbol = password.Any(ch => !char.IsLetterOrDigit(ch));
+        if (!hasUpper || !hasLower || !hasDigit || !hasSymbol)
+        {
+            validated = default;
+            error = "Password must include uppercase, lowercase, number, and symbol.";
+            return false;
+        }
+
         if ((request.DisplayName ?? string.Empty).Trim().Length > MaxDisplayNameLength)
         {
             validated = default;
@@ -63,6 +84,12 @@ internal static class AuthValidator
             return false;
         }
 
+        if (request.Password.Length > MaxPasswordLength)
+        {
+            error = $"Password must be <= {MaxPasswordLength} characters.";
+            return false;
+        }
+
         normalizedUsername = username.ToLowerInvariant();
         error = string.Empty;
         return true;