added record.SetRandomPassword() helper and updated oauth2 autogenerated password handling

apis/record_auth_with_oauth2.go

@@ -16,7 +16,6 @@ import (
 	"github.com/pocketbase/pocketbase/tools/auth"
 	"github.com/pocketbase/pocketbase/tools/dbutils"
 	"github.com/pocketbase/pocketbase/tools/filesystem"
-	"github.com/pocketbase/pocketbase/tools/security"
 	"golang.org/x/oauth2"
 )
 
@@ -224,12 +223,6 @@ func oauth2Submit(e *core.RecordAuthWithOAuth2RequestEvent, optExternalAuth *cor
 
 			payload[core.FieldNameEmail] = e.OAuth2User.Email
 
-			// set a random password if none is set
-			if v, _ := payload[core.FieldNamePassword].(string); v == "" {
-				payload[core.FieldNamePassword] = security.RandomString(30)
-				payload[core.FieldNamePassword+"Confirm"] = payload[core.FieldNamePassword]
-			}
-
 			// map known fields (unless the field was explicitly submitted as part of CreateData)
 			if _, ok := payload[e.Collection.OAuth2.MappedFields.Id]; !ok && e.Collection.OAuth2.MappedFields.Id != "" {
 				payload[e.Collection.OAuth2.MappedFields.Id] = e.OAuth2User.Id
@@ -292,7 +285,7 @@ func oauth2Submit(e *core.RecordAuthWithOAuth2RequestEvent, optExternalAuth *cor
 			// set random password for users with unverified email
 			// (this is in case a malicious actor has registered previously with the user email)
 			if !isLoggedAuthRecord && e.Record.Email() != "" && !e.Record.Verified() {
-				e.Record.SetPassword(security.RandomString(30))
+				e.Record.SetRandomPassword()
 				needUpdate = true
 			}
 

apis/record_auth_with_oauth2_test.go

@@ -958,6 +958,8 @@ func TestRecordAuthWithOAuth2(t *testing.T) {
 				"createData": {
 					"email": "invalid",
 					"emailVisibility": true,
+					"password": "1234567890",
+					"passwordConfirm": "1234567890",
 					"name": "test_name",
 					"username": "test_username",
 					"rel": "0yxhwia2amd8gec"
@@ -1027,6 +1029,16 @@ func TestRecordAuthWithOAuth2(t *testing.T) {
 				"OnModelValidate":  4,
 				"OnRecordValidate": 4,
 			},
+			AfterTestFunc: func(t testing.TB, app *tests.TestApp, res *http.Response) {
+				user, err := app.FindFirstRecordByData("users", "username", "test_username")
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				if !user.ValidatePassword("1234567890") {
+					t.Fatalf("Expected password %q to be valid", "1234567890")
+				}
+			},
 		},
 		{
 			Name:   "creating user (with mapped OAuth2 fields and avatarURL->file field)",

apis/record_crud.go

@@ -94,9 +94,9 @@ func recordsList(e *core.RequestEvent) error {
 
 		// Add a randomized throttle in case of too many empty search filter attempts.
 		//
-		// This is just for extra precaution since security researches raised concern regarding the possibity of eventual
+		// This is just for extra precaution since security researches raised concern regarding the possibility of eventual
 		// timing attacks because the List API rule acts also as filter and executes in a single run with the client-side filters.
-		// This is by design and it is an accepted tradeoff between performance, usability and correctness.
+		// This is by design and it is an accepted trade off between performance, usability and correctness.
 		//
 		// While technically the below doesn't fully guarantee protection against filter timing attacks, in practice combined with the network latency it makes them even less feasible.
 		// A properly configured rate limiter or individual fields Hidden checks are better suited if you are really concerned about eventual information disclosure by side-channel attacks.
@@ -220,6 +220,16 @@ func recordCreate(optFinalizer func(data any) error) func(e *core.RequestEvent)
 			return firstApiError(err, e.BadRequestError("Failed to read the submitted data.", err))
 		}
 
+		// set a random password for the OAuth2 ignoring its plain password validators
+		var skipPlainPasswordRecordValidators bool
+		if requestInfo.Context == core.RequestInfoContextOAuth2 {
+			if _, ok := data[core.FieldNamePassword]; !ok {
+				data[core.FieldNamePassword] = security.RandomString(30)
+				data[core.FieldNamePassword+"Confirm"] = data[core.FieldNamePassword]
+				skipPlainPasswordRecordValidators = true
+			}
+		}
+
 		// replace modifiers fields so that the resolved value is always
 		// available when accessing requestInfo.Body
 		requestInfo.Body = data
@@ -230,6 +240,13 @@ func recordCreate(optFinalizer func(data any) error) func(e *core.RequestEvent)
 		}
 		form.Load(data)
 
+		if skipPlainPasswordRecordValidators {
+			// unset the plain value to skip the plain password field validators
+			if raw, ok := record.GetRaw(core.FieldNamePassword).(*core.PasswordFieldValue); ok {
+				raw.Plain = ""
+			}
+		}
+
 		var isOptFinalizerCalled bool
 
 		event := new(core.RecordRequestEvent)