fix: eliminate request handler race condition and add input validation

- Remove global d variable; declare passwordData locally per request,
eliminating a data race under concurrent requests and the bug where
NoUpper/DenyRepeat were never reset between requests
- Add parseParam helper that strictly validates integer fields: absent
fields fall back to the configured default, while invalid or
out-of-range values return HTTP 400 with a descriptive message
- Cap password length at 512 characters to prevent CPU/memory exhaustion
- Bump go.mod from 1.14 to 1.25 (minimum maintained release; required
for errors.Join used in validation)

Signed-off-by: Nagy Károly Gábriel <k@jpi.io>

This commit is contained in:

Nagy Károly Gábriel

2026-04-30 13:31:51 +03:00

parent baaeaf19df

commit 2d3caf2e82

2 changed files with 54 additions and 35 deletions

									
										go.mod
									
		+1
		-1
	
												View File
												
				@@ -1,3 +1,3 @@

				module git.jpi.io/JPI/ranpass

				go 1.14

				go 1.25