- Remove global d variable; declare passwordData locally per request,
eliminating a data race under concurrent requests and the bug where
NoUpper/DenyRepeat were never reset between requests
- Add parseParam helper that strictly validates integer fields: absent
fields fall back to the configured default, while invalid or
out-of-range values return HTTP 400 with a descriptive message
- Cap password length at 512 characters to prevent CPU/memory exhaustion
- Bump go.mod from 1.14 to 1.25 (minimum maintained release; required
for errors.Join used in validation)
Signed-off-by: Nagy Károly Gábriel <k@jpi.io>
Nagy Károly Gábriel
