feat: Add strict_password_checking config option to relax password requirements

[Copilot]

Summary

Adds a strict_password_checking boolean to invokeai.yaml (default: False) that controls whether password complexity is enforced or merely reported. When False, any non-empty password is accepted and a live strength indicator (Weak/Moderate/Strong) is shown in the UI as the user types.

Backend

• config_default.py: New strict_password_checking: bool = Field(default=False) in the MULTIUSER config block
• password_utils.py: New get_password_strength(password) → Literal["weak", "moderate", "strong"]
• users_base.py / users_default.py: create(), update(), create_admin() accept strict_password_checking: bool = True; when False, only requires non-empty password
• auth.py router: SetupStatusResponse now includes strict_password_checking; all four password-touching endpoints pass config.strict_password_checking to the user service

Frontend

• New shared utility features/auth/util/passwordUtils.ts with validatePasswordField() and getPasswordStrength(), replacing three duplicated inline functions
• AdministratorSetup, UserProfile, UserManagement all fetch strict_password_checking from /v1/auth/status (RTK Query, cached) and:
  • Strict mode (True): existing behavior — blocks submission if requirements not met
  • Non-strict mode (False): any non-empty password accepted; shows colored strength label below the field
    • 🔴 "Weak password" (error.300)
    • 🟡 "Moderate password" (warning.300)
    • 🔵 "Strong password" (invokeBlue.300)
• Added en.json keys: auth.passwordStrength.{weak,moderate,strong} and auth.setup.passwordHelperRelaxed

Tests

• Added TestGetPasswordStrength (11 cases) to test_password_utils.py
• Updated test_setup_admin_weak_password in test_auth.py to explicitly enable strict_password_checking = True on the mock config, reflecting the new default of False
• Added test_setup_admin_weak_password_non_strict to verify weak passwords are accepted when strict checking is disabled (the default)
• Updated test_create_user_weak_password in test_user_service.py to explicitly pass strict_password_checking=True
• Added test_create_user_weak_password_non_strict to verify weak passwords are accepted in non-strict mode

Related Issues / Discussions

QA Instructions

1. Start InvokeAI with multiuser: true and default config (strict_password_checking absent / false)
2. Navigate to admin setup — type a short/weak password and verify the colored strength label updates live without blocking submission
3. Set strict_password_checking: true in invokeai.yaml, restart, and verify weak passwords are blocked with an error message (existing behavior)
4. Repeat strength/blocking checks in User Profile (change password) and User Management (create/edit user modal)

Merge Plan

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[enhancement]: relax strict password checking</issue_title>
<issue_description>### Is there an existing issue for this?

• I have searched the existing issues

Contact Details

No response

What should this feature add?

Users are complaining about the strict password checking tests in the multiuser feature. These are the tests that are applied in three places:

1. First login, when the Administrator account is set up.
2. When a user changes the password in his profile.
3. When the Administrator creates or modifies a user in the User Management window.

This feature will add a new invokeai.yaml boolean configuration option strict_password_checking. If True, then the system will continue to insist on strong passwords as it does now. If False (the default), then the system will merely report whether the password is weak, moderate, or strong.

In password strength reporting mode, the messages updates as the user types and is one of:

• "Weak password" (text in red)
• "Moderate password" (text in yellow)
• "Strong password" (text in blue)

Alternatives

No response

Additional Content

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [enhancement]: relax strict password checking #123

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lstein]

Works as advertised

[lstein]

Test failure:

========================================================================== FAILURES ==========================================================================
_______________________________________________________________ test_setup_admin_weak_password _______________________________________________________________

monkeypatch = <_pytest.monkeypatch.MonkeyPatch object at 0x7a68f9c32630>, mock_invoker = <invokeai.app.services.invoker.Invoker object at 0x7a68f9d37d10>
client = <starlette.testclient.TestClient object at 0x7a68fa0f3080>

    def test_setup_admin_weak_password(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None:
        """Test setup fails with weak password."""
        monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker))
    
        response = client.post(
            "/api/v1/auth/setup",
            json={
                "email": "admin3@example.com",
                "display_name": "Admin User",
                "password": "weak",
            },
        )
    
>       assert response.status_code == 400
E       assert 200 == 400
E        +  where 200 = <Response [200 OK]>.status_code

[lstein]

@copilot
Test failure:

========================================================================== FAILURES ==========================================================================
_______________________________________________________________ test_setup_admin_weak_password _______________________________________________________________

monkeypatch = <_pytest.monkeypatch.MonkeyPatch object at 0x7a68f9c32630>, mock_invoker = <invokeai.app.services.invoker.Invoker object at 0x7a68f9d37d10>
client = <starlette.testclient.TestClient object at 0x7a68fa0f3080>

def test_setup_admin_weak_password(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None:
    """Test setup fails with weak password."""
    monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker))

    response = client.post(
        "/api/v1/auth/setup",
        json={
            "email": "admin3@example.com",
            "display_name": "Admin User",
            "password": "weak",
        },
    )

  assert response.status_code == 400

E assert 200 == 400
E + where 200 = <Response [200 OK]>.status_code

[Copilot]

@copilot
Test failure:

...

Fixed in commit 035745b. The test was failing because strict_password_checking defaults to False, so the setup endpoint now correctly accepts weak passwords by default. The fix sets mock_invoker.services.configuration.strict_password_checking = True in the test before calling the endpoint, ensuring strict validation is tested explicitly. A companion test test_setup_admin_weak_password_non_strict was also added to verify the non-strict (default) behavior allows weak passwords.