Harden auth flows and add backend quality gate

backend/app/security.py

@@ -1,13 +1,16 @@
 from datetime import datetime, timedelta, timezone
 from typing import Any, Dict, Optional
 
-from jose import JWTError, jwt
 from passlib.context import CryptContext
+import jwt
+from jwt import InvalidTokenError
 
 from .config import settings
 
 _pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
 _ALGORITHM = "HS256"
+MIN_PASSWORD_LENGTH = 8
+PASSWORD_POLICY_MESSAGE = f"Password must be at least {MIN_PASSWORD_LENGTH} characters."
 
 
 def hash_password(password: str) -> str:
@@ -18,6 +21,13 @@ def verify_password(plain_password: str, hashed_password: str) -> bool:
     return _pwd_context.verify(plain_password, hashed_password)
 
 
+def validate_password_policy(password: str) -> str:
+    candidate = password.strip()
+    if len(candidate) < MIN_PASSWORD_LENGTH:
+        raise ValueError(PASSWORD_POLICY_MESSAGE)
+    return candidate
+
+
 def _create_token(
     subject: str,
     role: str,
@@ -55,5 +65,5 @@ class TokenError(Exception):
 def safe_decode_token(token: str) -> Dict[str, Any]:
     try:
         return decode_token(token)
-    except JWTError as exc:
+    except InvalidTokenError as exc:
         raise TokenError("Invalid token") from exc