fix: trim and validate default admin password input

- Trim whitespace from the configured default admin password before use; treat whitespace-only or empty passwords as unset and generate a random password instead
- Replace direct checks for non-empty password with checks on the trimmed value in the password-creation logic
- Add a test to verify handling of whitespace in the default admin password, including cases with only spaces/tabs/mixed whitespace

Signed-off-by: appleboy <appleboy.tw@gmail.com>

Author: appleboy

internal/store/sqlite.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"strings"
 	"time"
 
 	"github.com/appleboy/authgate/internal/config"
@@ -75,9 +76,10 @@ func (s *Store) seedData(cfg *config.Config) error {
 		var password string
 		var err error
 
-		// Use configured password if set, otherwise generate random password
-		if cfg.DefaultAdminPassword != "" {
-			password = cfg.DefaultAdminPassword
+		// Use configured password if set (after trimming whitespace), otherwise generate random password
+		configuredPassword := strings.TrimSpace(cfg.DefaultAdminPassword)
+		if configuredPassword != "" {
+			password = configuredPassword
 		} else {
 			password, err = generateRandomPassword(16)
 			if err != nil {
@@ -101,7 +103,7 @@ func (s *Store) seedData(cfg *config.Config) error {
 		}
 
 		// Log password creation differently based on source
-		if cfg.DefaultAdminPassword != "" {
+		if configuredPassword != "" {
 			log.Printf("Created default user: admin / [configured password] (role: admin)")
 		} else {
 			log.Printf("Created default user: admin / %s (role: admin)", password)

internal/store/store_test.go

@@ -3,6 +3,7 @@ package store
 import (
 	"context"
 	"fmt"
+	"strings"
 	"testing"
 	"time"
 
@@ -15,6 +16,7 @@ import (
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/modules/postgres"
 	"github.com/testcontainers/testcontainers-go/wait"
+	"golang.org/x/crypto/bcrypt"
 	"gorm.io/gorm"
 )
 
@@ -525,3 +527,83 @@ func TestUpsertExternalUser_Success_UpdateExisting(t *testing.T) {
 	assert.Equal(t, "bob.builder@example.com", updatedUser.Email)
 	assert.Equal(t, "Robert Builder", updatedUser.FullName)
 }
+
+// TestDefaultAdminPassword_WhitespaceHandling tests that whitespace-only passwords are treated as empty
+func TestDefaultAdminPassword_WhitespaceHandling(t *testing.T) {
+	tests := []struct {
+		name                 string
+		defaultAdminPassword string
+		shouldUseConfigured  bool
+	}{
+		{
+			name:                 "valid password",
+			defaultAdminPassword: "MyPassword123",
+			shouldUseConfigured:  true,
+		},
+		{
+			name:                 "password with leading/trailing spaces",
+			defaultAdminPassword: "  MyPassword123  ",
+			shouldUseConfigured:  true,
+		},
+		{
+			name:                 "empty string",
+			defaultAdminPassword: "",
+			shouldUseConfigured:  false,
+		},
+		{
+			name:                 "only spaces",
+			defaultAdminPassword: "   ",
+			shouldUseConfigured:  false,
+		},
+		{
+			name:                 "only tabs",
+			defaultAdminPassword: "\t\t\t",
+			shouldUseConfigured:  false,
+		},
+		{
+			name:                 "mixed whitespace",
+			defaultAdminPassword: " \t\n\r ",
+			shouldUseConfigured:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := &config.Config{
+				DefaultAdminPassword: tt.defaultAdminPassword,
+			}
+
+			store, err := New("sqlite", ":memory:", cfg)
+			require.NoError(t, err)
+			require.NotNil(t, store)
+
+			// Get the created admin user
+			admin, err := store.GetUserByUsername("admin")
+			require.NoError(t, err)
+			require.NotNil(t, admin)
+
+			// Verify the password works
+			if tt.shouldUseConfigured {
+				// Should use the trimmed configured password
+				err = bcrypt.CompareHashAndPassword(
+					[]byte(admin.PasswordHash),
+					[]byte(strings.TrimSpace(tt.defaultAdminPassword)),
+				)
+				assert.NoError(t, err, "configured password should work after trimming")
+			} else {
+				// Should have generated a random password (we can't verify the exact password,
+				// but we can verify it's not an empty password)
+				assert.NotEmpty(t, admin.PasswordHash)
+
+				// Verify that whitespace-only password does NOT work
+				if tt.defaultAdminPassword != "" {
+					err = bcrypt.CompareHashAndPassword(
+						[]byte(admin.PasswordHash),
+						[]byte(tt.defaultAdminPassword),
+					)
+					assert.Error(t, err, "whitespace-only password should not work")
+				}
+			}
+		})
+	}
+}