block empty passwords in the web handler

src/web/pages/usersettings.rs

@@ -113,6 +113,14 @@ pub async fn change_password(
     headers: HeaderMap,
     Form(form): Form<PasswordForm>,
 ) -> Result<Response, CompositeError> {
+    if form.password.trim().is_empty() {
+        return Ok((
+            axum::http::StatusCode::BAD_REQUEST,
+            "Password cannot be empty or consist only of whitespace.",
+        )
+            .into_response());
+    }
+
     let mut tx = state.pool.begin().await?;
     let mut u = User::authenticate(&mut *tx, &headers).await?.required()?;