Phase 3: Add char[] overloads to PasswordPolicyService and UserService

Co-authored-by: devondragon <1254537+devondragon@users.noreply.github.com>

Author: Copilot

src/main/java/com/digitalsanctuary/spring/user/service/PasswordPolicyService.java

@@ -154,6 +154,41 @@ public List<String> validate(User user, String password, String usernameOrEmail,
         return validateWithPassay(password, rules, locale);
     }
 
+    /**
+     * Validate the given password (as char array) against the configured policy rules.
+     * This is the preferred method for security as it allows explicit password clearing.
+     *
+     * <p>Note: The password char array is converted to String internally only when needed
+     * for validation, and the String is not retained beyond the validation process.</p>
+     *
+     * <p>Note: The user parameter may be null during new user registration.
+     * When null, password history checking is skipped (since new users have no history).
+     * This is intentional - history checks only apply to existing users changing their passwords.</p>
+     *
+     * @param user            The user (may be null for new registrations)
+     * @param passwordChars   the password as char array to validate
+     * @param usernameOrEmail optional username/email for similarity checks
+     * @param locale          the locale
+     * @return list of error messages if validation fails, empty if valid
+     */
+    public List<String> validate(User user, char[] passwordChars, String usernameOrEmail, Locale locale) {
+        if (passwordChars == null) {
+            return List.of("Password cannot be null");
+        }
+        
+        // Convert to String for validation
+        // Note: We need String for Passay library and password encoder
+        String password = new String(passwordChars);
+        try {
+            return validate(user, password, usernameOrEmail, locale);
+        } finally {
+            // Clear the temporary String from memory (best effort)
+            // Note: String is immutable so this won't actually clear the String,
+            // but it helps signal intent and clears the reference
+            password = null;
+        }
+    }
+
     /**
      * Build the list of Passay rules based on configuration.
      *

src/main/java/com/digitalsanctuary/spring/user/service/UserService.java

@@ -448,6 +448,28 @@ public void changeUserPassword(final User user, final String password) {
 		savePasswordHistory(user, encodedPassword);
 	}
 
+	/**
+	 * Change user password (char array version - preferred for security).
+	 * This method converts the char array to String for encoding and immediately clears it.
+	 *
+	 * @param user          the user
+	 * @param passwordChars the password as char array
+	 */
+	public void changeUserPassword(final User user, final char[] passwordChars) {
+		if (passwordChars == null) {
+			throw new IllegalArgumentException("Password cannot be null");
+		}
+		
+		// Convert to String for password encoder (required by BCrypt)
+		String password = new String(passwordChars);
+		try {
+			changeUserPassword(user, password);
+		} finally {
+			// Clear the temporary String reference
+			password = null;
+		}
+	}
+
 	/**
 	 * Check if valid old password.
 	 *
@@ -462,6 +484,29 @@ public boolean checkIfValidOldPassword(final User user, final String oldPassword
 		return passwordEncoder.matches(oldPassword, user.getPassword());
 	}
 
+	/**
+	 * Check if valid old password (char array version - preferred for security).
+	 * This method converts the char array to String for verification.
+	 *
+	 * @param user             the user
+	 * @param oldPasswordChars the old password as char array
+	 * @return true, if successful
+	 */
+	public boolean checkIfValidOldPassword(final User user, final char[] oldPasswordChars) {
+		if (oldPasswordChars == null) {
+			return false;
+		}
+		
+		// Convert to String for password encoder
+		String oldPassword = new String(oldPasswordChars);
+		try {
+			return checkIfValidOldPassword(user, oldPassword);
+		} finally {
+			// Clear the temporary String reference
+			oldPassword = null;
+		}
+	}
+
 	/**
 	 * See if the Email exists in the user repository.
 	 *