From 6574e9f0b2ac270547b0b5f52b1b44603ad6130e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Newton=20Jos=C3=A9?= <josephnewton001@gmail.com>
Date: Tue, 9 Sep 2025 21:58:39 -0300
Subject: [PATCH] Fix: Add Password Validation to Account Creation (#25382)

---
 api/services/account_service.py               |  2 ++
 .../services/test_account_service.py          | 22 +++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/api/services/account_service.py b/api/services/account_service.py
index f66c1aa677..f917959350 100644
--- a/api/services/account_service.py
+++ b/api/services/account_service.py
@@ -246,6 +246,8 @@ class AccountService:
         account.name = name
 
         if password:
+            valid_password(password)
+
             # generate password salt
             salt = secrets.token_bytes(16)
             base64_salt = base64.b64encode(salt).decode()
diff --git a/api/tests/test_containers_integration_tests/services/test_account_service.py b/api/tests/test_containers_integration_tests/services/test_account_service.py
index 6b5ac713e6..dac1fe643a 100644
--- a/api/tests/test_containers_integration_tests/services/test_account_service.py
+++ b/api/tests/test_containers_integration_tests/services/test_account_service.py
@@ -91,6 +91,28 @@ class TestAccountService:
         assert account.password is None
         assert account.password_salt is None
 
+    def test_create_account_password_invalid_new_password(
+        self, db_session_with_containers, mock_external_service_dependencies
+    ):
+        """
+        Test account create with invalid new password format.
+        """
+        fake = Faker()
+        email = fake.email()
+        name = fake.name()
+        # Setup mocks
+        mock_external_service_dependencies["feature_service"].get_system_features.return_value.is_allow_register = True
+        mock_external_service_dependencies["billing_service"].is_email_in_freeze.return_value = False
+
+        # Test with too short password (assuming minimum length validation)
+        with pytest.raises(ValueError):  # Password validation error
+            AccountService.create_account(
+                email=email,
+                name=name,
+                interface_language="en-US",
+                password="invalid_new_password",
+            )
+
     def test_create_account_registration_disabled(self, db_session_with_containers, mock_external_service_dependencies):
         """
         Test account creation when registration is disabled.