refactor: replace Bearer token auth with HttpOnly cookies

- Remove POST /api/v1/register endpoint entirely - Session creation (POST /api/v1/session) now sets neoirc_auth HttpOnly cookie instead of returning token in JSON body - Login (POST /api/v1/login) now sets neoirc_auth HttpOnly cookie instead of returning token in JSON body - Add PASS IRC command for setting session password (enables multi-client login via POST /api/v1/login) - All per-request auth reads from neoirc_auth cookie instead of Authorization: Bearer header - Cookie properties: HttpOnly, SameSite=Strict, Secure when behind TLS - Logout and QUIT clear the auth cookie - Update CORS to AllowCredentials:true with origin reflection - Remove Authorization from CORS AllowedHeaders - Update CLI client to use cookie jar (net/http/cookiejar) - Remove Token field from SessionResponse - Add SetPassword to DB layer, remove RegisterUser - Comprehensive test updates for cookie-based auth - Add tests: TestPassCommand, TestPassCommandShortPassword, TestPassCommandEmpty, TestSessionCookie - Update README extensively: auth model, API reference, curl examples, security model, design principles, roadmap closes #83
2026-03-17 20:33:12 -07:00
parent bf4d63bc4d
commit cd9fd0c5c5
11 changed files with 625 additions and 711 deletions
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -36,6 +36,7 @@ const (
 	defaultMaxBodySize = 4096
 	defaultHistLimit   = 50
 	maxHistLimit       = 500
+	authCookieName     = "neoirc_auth"
 )

 func (hdlr *Handlers) maxBodySize() int64 {
@@ -46,23 +47,18 @@ func (hdlr *Handlers) maxBodySize() int64 {
 	return defaultMaxBodySize
 }

-// authSession extracts the session from the client token.
+// authSession extracts the session from the auth cookie.
 func (hdlr *Handlers) authSession(
 	request *http.Request,
 ) (int64, int64, string, error) {
-	auth := request.Header.Get("Authorization")
-	if !strings.HasPrefix(auth, "Bearer ") {
-		return 0, 0, "", errUnauthorized
-	}
-
-	token := strings.TrimPrefix(auth, "Bearer ")
-	if token == "" {
+	cookie, err := request.Cookie(authCookieName)
+	if err != nil || cookie.Value == "" {
 		return 0, 0, "", errUnauthorized
 	}

 	sessionID, clientID, nick, err :=
 		hdlr.params.Database.GetSessionByToken(
-			request.Context(), token,
+			request.Context(), cookie.Value,
 		)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf("auth: %w", err)
@@ -71,6 +67,46 @@ func (hdlr *Handlers) authSession(
 	return sessionID, clientID, nick, nil
 }

+// setAuthCookie sets the authentication cookie on the
+// response.
+func (hdlr *Handlers) setAuthCookie(
+	writer http.ResponseWriter,
+	request *http.Request,
+	token string,
+) {
+	secure := request.TLS != nil ||
+		request.Header.Get("X-Forwarded-Proto") == "https"
+
+	http.SetCookie(writer, &http.Cookie{ //nolint:exhaustruct // optional fields
+		Name:     authCookieName,
+		Value:    token,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   secure,
+		SameSite: http.SameSiteStrictMode,
+	})
+}
+
+// clearAuthCookie removes the authentication cookie from
+// the client.
+func (hdlr *Handlers) clearAuthCookie(
+	writer http.ResponseWriter,
+	request *http.Request,
+) {
+	secure := request.TLS != nil ||
+		request.Header.Get("X-Forwarded-Proto") == "https"
+
+	http.SetCookie(writer, &http.Cookie{ //nolint:exhaustruct // optional fields
+		Name:     authCookieName,
+		Value:    "",
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   secure,
+		SameSite: http.SameSiteStrictMode,
+		MaxAge:   -1,
+	})
+}
+
 func (hdlr *Handlers) requireAuth(
 	writer http.ResponseWriter,
 	request *http.Request,
@@ -226,10 +262,11 @@ func (hdlr *Handlers) handleCreateSession(

 	hdlr.deliverMOTD(request, clientID, sessionID, payload.Nick)

+	hdlr.setAuthCookie(writer, request, token)
+
 	hdlr.respondJSON(writer, request, map[string]any{
-		"id":    sessionID,
-		"nick":  payload.Nick,
-		"token": token,
+		"id":   sessionID,
+		"nick": payload.Nick,
 	}, http.StatusCreated)
 }

@@ -875,6 +912,11 @@ func (hdlr *Handlers) dispatchCommand(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
+	case irc.CmdPass:
+		hdlr.handlePass(
+			writer, request,
+			sessionID, clientID, nick, bodyLines,
+		)
 	case irc.CmdTopic:
 		hdlr.handleTopic(
 			writer, request,
@@ -2005,6 +2047,8 @@ func (hdlr *Handlers) handleQuit(
 		request.Context(), sessionID,
 	)

+	hdlr.clearAuthCookie(writer, request)
+
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "quit"},
 		http.StatusOK)
@@ -2807,6 +2851,8 @@ func (hdlr *Handlers) HandleLogout() http.HandlerFunc {
 			)
 		}

+		hdlr.clearAuthCookie(writer, request)
+
 		hdlr.respondJSON(writer, request,
 			map[string]string{"status": "ok"},
 			http.StatusOK)
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -33,15 +33,16 @@ import (
 )

 const (
-	commandKey  = "command"
-	bodyKey     = "body"
-	toKey       = "to"
-	statusKey   = "status"
-	privmsgCmd  = "PRIVMSG"
-	joinCmd     = "JOIN"
-	apiMessages = "/api/v1/messages"
-	apiSession  = "/api/v1/session"
-	apiState    = "/api/v1/state"
+	commandKey     = "command"
+	bodyKey        = "body"
+	toKey          = "to"
+	statusKey      = "status"
+	privmsgCmd     = "PRIVMSG"
+	joinCmd        = "JOIN"
+	apiMessages    = "/api/v1/messages"
+	apiSession     = "/api/v1/session"
+	apiState       = "/api/v1/state"
+	authCookieName = "neoirc_auth"
 )

 // testServer wraps a test HTTP server with helpers.
@@ -261,7 +262,7 @@ func doRequest(

 func doRequestAuth(
 	t *testing.T,
-	method, url, token string,
+	method, url, cookie string,
 	body io.Reader,
 ) (*http.Response, error) {
 	t.Helper()
@@ -279,10 +280,11 @@ func doRequestAuth(
 		)
 	}

-	if token != "" {
-		request.Header.Set(
-			"Authorization", "Bearer "+token,
-		)
+	if cookie != "" {
+		request.AddCookie(&http.Cookie{ //nolint:exhaustruct // only name+value needed
+			Name:  authCookieName,
+			Value: cookie,
+		})
 	}

 	resp, err := http.DefaultClient.Do(request)
@@ -325,17 +327,19 @@ func (tserver *testServer) createSession(
 		)
 	}

-	var result struct {
-		ID    int64  `json:"id"`
-		Token string `json:"token"`
+	// Drain the body.
+	_, _ = io.ReadAll(resp.Body)
+
+	// Extract auth cookie from response.
+	for _, cookie := range resp.Cookies() {
+		if cookie.Name == authCookieName {
+			return cookie.Value
+		}
 	}

-	decErr := json.NewDecoder(resp.Body).Decode(&result)
-	if decErr != nil {
-		tserver.t.Fatalf("decode session: %v", decErr)
-	}
+	tserver.t.Fatal("no auth cookie in response")

-	return result.Token
+	return ""
 }

 func (tserver *testServer) sendCommand(
@@ -492,10 +496,10 @@ func findNumeric(

 func TestCreateSessionValid(t *testing.T) {
 	tserver := newTestServer(t)
-	token := tserver.createSession("alice")
+	cookie := tserver.createSession("alice")

-	if token == "" {
-		t.Fatal("expected token")
+	if cookie == "" {
+		t.Fatal("expected auth cookie")
 	}
 }

@@ -617,7 +621,7 @@ func TestCreateSessionMalformed(t *testing.T) {
 	}
 }

-func TestAuthNoHeader(t *testing.T) {
+func TestAuthNoCookie(t *testing.T) {
 	tserver := newTestServer(t)

 	status, _ := tserver.getState("")
@@ -626,11 +630,11 @@ func TestAuthNoHeader(t *testing.T) {
 	}
 }

-func TestAuthBadToken(t *testing.T) {
+func TestAuthBadCookie(t *testing.T) {
 	tserver := newTestServer(t)

 	status, _ := tserver.getState(
-		"invalid-token-12345",
+		"invalid-cookie-12345",
 	)
 	if status != http.StatusUnauthorized {
 		t.Fatalf("expected 401, got %d", status)
@@ -1827,90 +1831,6 @@ func assertFieldGTE(
 	}
 }

-func TestRegisterValid(t *testing.T) {
-	tserver := newTestServer(t)
-
-	body, err := json.Marshal(map[string]string{
-		"nick": "reguser", "password": "password123",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err := doRequest(
-		t,
-		http.MethodPost,
-		tserver.url("/api/v1/register"),
-		bytes.NewReader(body),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	defer func() { _ = resp.Body.Close() }()
-
-	if resp.StatusCode != http.StatusCreated {
-		respBody, _ := io.ReadAll(resp.Body)
-		t.Fatalf(
-			"expected 201, got %d: %s",
-			resp.StatusCode, respBody,
-		)
-	}
-
-	var result map[string]any
-
-	_ = json.NewDecoder(resp.Body).Decode(&result)
-
-	if result["token"] == nil || result["token"] == "" {
-		t.Fatal("expected token in response")
-	}
-
-	if result["nick"] != "reguser" {
-		t.Fatalf(
-			"expected reguser, got %v", result["nick"],
-		)
-	}
-}
-
-func TestRegisterDuplicate(t *testing.T) {
-	tserver := newTestServer(t)
-
-	body, err := json.Marshal(map[string]string{
-		"nick": "dupuser", "password": "password123",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp, err := doRequest(
-		t,
-		http.MethodPost,
-		tserver.url("/api/v1/register"),
-		bytes.NewReader(body),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_ = resp.Body.Close()
-
-	resp2, err := doRequest(
-		t,
-		http.MethodPost,
-		tserver.url("/api/v1/register"),
-		bytes.NewReader(body),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	defer func() { _ = resp2.Body.Close() }()
-
-	if resp2.StatusCode != http.StatusConflict {
-		t.Fatalf("expected 409, got %d", resp2.StatusCode)
-	}
-}
-
 func postJSONExpectStatus(
 	t *testing.T,
 	tserver *testServer,
@@ -1945,36 +1865,102 @@ func postJSONExpectStatus(
 	}
 }

-func TestRegisterShortPassword(t *testing.T) {
+func TestPassCommand(t *testing.T) {
 	tserver := newTestServer(t)
+	token := tserver.createSession("passuser")

-	postJSONExpectStatus(
-		t, tserver, "/api/v1/register",
-		map[string]string{
-			"nick": "shortpw", "password": "short",
+	// Drain initial messages.
+	_, _ = tserver.pollMessages(token, 0)
+
+	// Set password via PASS command.
+	status, result := tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: "PASS",
+			bodyKey:    []string{"s3cure_pass"},
 		},
-		http.StatusBadRequest,
 	)
+	if status != http.StatusOK {
+		t.Fatalf(
+			"expected 200, got %d: %v", status, result,
+		)
+	}
+
+	if result[statusKey] != "ok" {
+		t.Fatalf(
+			"expected ok, got %v", result[statusKey],
+		)
+	}
 }

-func TestRegisterInvalidNick(t *testing.T) {
+func TestPassCommandShortPassword(t *testing.T) {
 	tserver := newTestServer(t)
+	token := tserver.createSession("shortpw")

-	postJSONExpectStatus(
-		t, tserver, "/api/v1/register",
-		map[string]string{
-			"nick":     "bad nick!",
-			"password": "password123",
+	// Drain initial messages.
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Try short password — should fail.
+	status, _ := tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: "PASS",
+			bodyKey:    []string{"short"},
 		},
-		http.StatusBadRequest,
 	)
+	if status != http.StatusOK {
+		t.Fatalf("expected 200, got %d", status)
+	}
+
+	msgs, _ := tserver.pollMessages(token, lastID)
+
+	if !findNumeric(msgs, "461") {
+		t.Fatalf(
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
+			msgs,
+		)
+	}
+}
+
+func TestPassCommandEmpty(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("emptypw")
+
+	// Drain initial messages.
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Try empty password — should fail.
+	status, _ := tserver.sendCommand(
+		token,
+		map[string]any{commandKey: "PASS"},
+	)
+	if status != http.StatusOK {
+		t.Fatalf("expected 200, got %d", status)
+	}
+
+	msgs, _ := tserver.pollMessages(token, lastID)
+
+	if !findNumeric(msgs, "461") {
+		t.Fatalf(
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
+			msgs,
+		)
+	}
 }

 func TestLoginValid(t *testing.T) {
 	tserver := newTestServer(t)

-	// Register first.
-	regBody, err := json.Marshal(map[string]string{
+	// Create session and set password via PASS command.
+	token := tserver.createSession("loginuser")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: "PASS",
+		bodyKey:    []string{"password123"},
+	})
+
+	// Login with nick + password.
+	loginBody, err := json.Marshal(map[string]string{
 		"nick": "loginuser", "password": "password123",
 	})
 	if err != nil {
@@ -1982,26 +1968,6 @@ func TestLoginValid(t *testing.T) {
 	}

 	resp, err := doRequest(
-		t,
-		http.MethodPost,
-		tserver.url("/api/v1/register"),
-		bytes.NewReader(regBody),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_ = resp.Body.Close()
-
-	// Login.
-	loginBody, err := json.Marshal(map[string]string{
-		"nick": "loginuser", "password": "password123",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp2, err := doRequest(
 		t,
 		http.MethodPost,
 		tserver.url("/api/v1/login"),
@@ -2011,31 +1977,33 @@ func TestLoginValid(t *testing.T) {
 		t.Fatal(err)
 	}

-	defer func() { _ = resp2.Body.Close() }()
+	defer func() { _ = resp.Body.Close() }()

-	if resp2.StatusCode != http.StatusOK {
-		respBody, _ := io.ReadAll(resp2.Body)
+	if resp.StatusCode != http.StatusOK {
+		respBody, _ := io.ReadAll(resp.Body)
 		t.Fatalf(
 			"expected 200, got %d: %s",
-			resp2.StatusCode, respBody,
+			resp.StatusCode, respBody,
 		)
 	}

-	var result map[string]any
+	// Extract auth cookie from login response.
+	var loginCookie string

-	_ = json.NewDecoder(resp2.Body).Decode(&result)
+	for _, cookie := range resp.Cookies() {
+		if cookie.Name == authCookieName {
+			loginCookie = cookie.Value

-	if result["token"] == nil || result["token"] == "" {
-		t.Fatal("expected token in response")
+			break
+		}
 	}

-	// Verify token works.
-	token, ok := result["token"].(string)
-	if !ok {
-		t.Fatal("token not a string")
+	if loginCookie == "" {
+		t.Fatal("expected auth cookie from login")
 	}

-	status, state := tserver.getState(token)
+	// Verify login cookie works for auth.
+	status, state := tserver.getState(loginCookie)
 	if status != http.StatusOK {
 		t.Fatalf("expected 200, got %d", status)
 	}
@@ -2051,49 +2019,22 @@ func TestLoginValid(t *testing.T) {
 func TestLoginWrongPassword(t *testing.T) {
 	tserver := newTestServer(t)

-	regBody, err := json.Marshal(map[string]string{
-		"nick": "wrongpwuser", "password": "correctpass1",
+	// Create session and set password via PASS command.
+	token := tserver.createSession("wrongpwuser")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: "PASS",
+		bodyKey:    []string{"correctpass1"},
 	})
-	if err != nil {
-		t.Fatal(err)
-	}

-	resp, err := doRequest(
-		t,
-		http.MethodPost,
-		tserver.url("/api/v1/register"),
-		bytes.NewReader(regBody),
+	postJSONExpectStatus(
+		t, tserver, "/api/v1/login",
+		map[string]string{
+			"nick":     "wrongpwuser",
+			"password": "wrongpass12",
+		},
+		http.StatusUnauthorized,
 	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_ = resp.Body.Close()
-
-	loginBody, err := json.Marshal(map[string]string{
-		"nick": "wrongpwuser", "password": "wrongpass12",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	resp2, err := doRequest(
-		t,
-		http.MethodPost,
-		tserver.url("/api/v1/login"),
-		bytes.NewReader(loginBody),
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	defer func() { _ = resp2.Body.Close() }()
-
-	if resp2.StatusCode != http.StatusUnauthorized {
-		t.Fatalf(
-			"expected 401, got %d", resp2.StatusCode,
-		)
-	}
 }

 func TestLoginNonexistentUser(t *testing.T) {
@@ -2109,13 +2050,74 @@ func TestLoginNonexistentUser(t *testing.T) {
 	)
 }

+func TestSessionCookie(t *testing.T) {
+	tserver := newTestServer(t)
+
+	body, err := json.Marshal(
+		map[string]string{"nick": "cookietest"},
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp, err := doRequest(
+		t,
+		http.MethodPost,
+		tserver.url(apiSession),
+		bytes.NewReader(body),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusCreated {
+		t.Fatalf(
+			"expected 201, got %d", resp.StatusCode,
+		)
+	}
+
+	// Verify Set-Cookie header.
+	var authCookie *http.Cookie
+
+	for _, cookie := range resp.Cookies() {
+		if cookie.Name == authCookieName {
+			authCookie = cookie
+
+			break
+		}
+	}
+
+	if authCookie == nil {
+		t.Fatal("expected neoirc_auth cookie")
+	}
+
+	if !authCookie.HttpOnly {
+		t.Fatal("cookie should be HttpOnly")
+	}
+
+	if authCookie.SameSite != http.SameSiteStrictMode {
+		t.Fatal("cookie should be SameSite=Strict")
+	}
+
+	// Verify JSON body does NOT contain token.
+	var result map[string]any
+
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+
+	if _, hasToken := result["token"]; hasToken {
+		t.Fatal("JSON body should not contain token")
+	}
+}
+
 func TestSessionStillWorks(t *testing.T) {
 	tserver := newTestServer(t)

 	// Verify anonymous session creation still works.
 	token := tserver.createSession("anon_user")
 	if token == "" {
-		t.Fatal("expected token for anonymous session")
+		t.Fatal("expected cookie for anonymous session")
 	}

 	status, state := tserver.getState(token)
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -5,120 +5,11 @@ import (
 	"net/http"
 	"strings"

-	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )

 const minPasswordLength = 8

-// HandleRegister creates a new user with a password.
-func (hdlr *Handlers) HandleRegister() http.HandlerFunc {
-	return func(
-		writer http.ResponseWriter,
-		request *http.Request,
-	) {
-		request.Body = http.MaxBytesReader(
-			writer, request.Body, hdlr.maxBodySize(),
-		)
-
-		hdlr.handleRegister(writer, request)
-	}
-}
-
-func (hdlr *Handlers) handleRegister(
-	writer http.ResponseWriter,
-	request *http.Request,
-) {
-	type registerRequest struct {
-		Nick     string `json:"nick"`
-		Password string `json:"password"`
-	}
-
-	var payload registerRequest
-
-	err := json.NewDecoder(request.Body).Decode(&payload)
-	if err != nil {
-		hdlr.respondError(
-			writer, request,
-			"invalid request body",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	payload.Nick = strings.TrimSpace(payload.Nick)
-
-	if !validNickRe.MatchString(payload.Nick) {
-		hdlr.respondError(
-			writer, request,
-			"invalid nick format",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	if len(payload.Password) < minPasswordLength {
-		hdlr.respondError(
-			writer, request,
-			"password must be at least 8 characters",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	sessionID, clientID, token, err :=
-		hdlr.params.Database.RegisterUser(
-			request.Context(),
-			payload.Nick,
-			payload.Password,
-		)
-	if err != nil {
-		hdlr.handleRegisterError(
-			writer, request, err,
-		)
-
-		return
-	}
-
-	hdlr.stats.IncrSessions()
-	hdlr.stats.IncrConnections()
-
-	hdlr.deliverMOTD(request, clientID, sessionID, payload.Nick)
-
-	hdlr.respondJSON(writer, request, map[string]any{
-		"id":    sessionID,
-		"nick":  payload.Nick,
-		"token": token,
-	}, http.StatusCreated)
-}
-
-func (hdlr *Handlers) handleRegisterError(
-	writer http.ResponseWriter,
-	request *http.Request,
-	err error,
-) {
-	if db.IsUniqueConstraintError(err) {
-		hdlr.respondError(
-			writer, request,
-			"nick already taken",
-			http.StatusConflict,
-		)
-
-		return
-	}
-
-	hdlr.log.Error(
-		"register user failed", "error", err,
-	)
-	hdlr.respondError(
-		writer, request,
-		"internal error",
-		http.StatusInternalServerError,
-	)
-}
-
 // HandleLogin authenticates a user with nick and password.
 func (hdlr *Handlers) HandleLogin() http.HandlerFunc {
 	return func(
@@ -195,9 +86,66 @@ func (hdlr *Handlers) handleLogin(
 		request, clientID, sessionID, payload.Nick,
 	)

+	hdlr.setAuthCookie(writer, request, token)
+
 	hdlr.respondJSON(writer, request, map[string]any{
-		"id":    sessionID,
-		"nick":  payload.Nick,
-		"token": token,
+		"id":   sessionID,
+		"nick": payload.Nick,
 	}, http.StatusOK)
 }
+
+// handlePass handles the IRC PASS command to set a
+// password on the authenticated session, enabling
+// multi-client login via POST /api/v1/login.
+func (hdlr *Handlers) handlePass(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick string,
+	bodyLines func() []string,
+) {
+	lines := bodyLines()
+	if len(lines) == 0 || lines[0] == "" {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdPass},
+			"Not enough parameters",
+		)
+
+		return
+	}
+
+	password := lines[0]
+
+	if len(password) < minPasswordLength {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdPass},
+			"Password must be at least 8 characters",
+		)
+
+		return
+	}
+
+	err := hdlr.params.Database.SetPassword(
+		request.Context(), sessionID, password,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"set password failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}