From 7d418c91e433c1fafef2699f1c8aed1ea18f2109 Mon Sep 17 00:00:00 2001
From: jmanczak <jakub@manczak.net>
Date: Sun, 26 Apr 2026 16:08:31 +0200
Subject: [PATCH] block empty passwords in the web handler

---
 src/web/pages/usersettings.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/web/pages/usersettings.rs b/src/web/pages/usersettings.rs
index dc041b9..a7420a5 100644
--- a/src/web/pages/usersettings.rs
+++ b/src/web/pages/usersettings.rs
@@ -113,6 +113,14 @@ pub async fn change_password(
     headers: HeaderMap,
     Form(form): Form<PasswordForm>,
 ) -> Result<Response, CompositeError> {
+    if form.password.trim().is_empty() {
+        return Ok((
+            axum::http::StatusCode::BAD_REQUEST,
+            "Password cannot be empty or consist only of whitespace.",
+        )
+            .into_response());
+    }
+
     let mut tx = state.pool.begin().await?;
     let mut u = User::authenticate(&mut *tx, &headers).await?.required()?;