fix(server): --session-cookie-secure flag; scope+char-count password; invalid-email test

crates/server/src/lib.rs

@@ -48,24 +48,27 @@ pub async fn serve(listener: TcpListener, state: AppState) -> anyhow::Result<()>
     Ok(())
 }
 
-/// Create a user from the CLI (admin bootstrap). Reads the password from the
-/// `BOOTSTRAP_PASSWORD` env var if set, otherwise prompts (hidden input).
+/// Create a user from the CLI (admin bootstrap). Opens its own connection (CLI
+/// one-shot); reads the password from the `BOOTSTRAP_PASSWORD` env var if set,
+/// otherwise prompts (hidden input). The plaintext is not zeroized, but it is
+/// confined to the scope below and dropped before any network I/O.
 pub async fn create_user(database_url: &str, email: &str, role: Role) -> anyhow::Result<()> {
     let email = Email::parse(email).map_err(|err| anyhow::anyhow!("{err}"))?;
 
-    let password = match std::env::var("BOOTSTRAP_PASSWORD") {
-        Ok(p) => p,
-        Err(_) => rpassword::prompt_password("Password: ").context("reading password")?,
+    // Read, validate, and hash the password in a scope so the plaintext `String` is
+    // dropped before we open a connection / run any awaits.
+    let password_hash = {
+        let password = match std::env::var("BOOTSTRAP_PASSWORD") {
+            Ok(p) => p,
+            Err(_) => rpassword::prompt_password("Password: ").context("reading password")?,
+        };
+        anyhow::ensure!(
+            password.chars().count() >= 8,
+            "password must be at least 8 characters"
+        );
+        auth::hash_password(&password).map_err(|err| anyhow::anyhow!("hashing password: {err}"))?
     };
 
-    anyhow::ensure!(
-        password.len() >= 8,
-        "password must be at least 8 characters"
-    );
-
-    let password_hash =
-        auth::hash_password(&password).map_err(|err| anyhow::anyhow!("hashing password: {err}"))?;
-
     let db = Db::connect(database_url)
         .await
         .context("connecting to the database")?;