`admin.createUser` doesn't check password strength

[castvoid]

Bug report

• [x] I confirm this is a bug with Supabase, not with my own application.
• [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

supabase.auth.admin.createUser doesn’t run the configured password strength rules. (implementation lives here).

supabase.auth.admin.updateUser does seem to do so.

As a result, if an application:

1. has password strength rules configured, and
2. calls admin.createUser with a user-provided password,

then users may be able to use passwords that don’t match the configured password strength rules.

Having the admin endpoint bypass password rules could be a desired behaviour, to give a route for admins to bypass the password rules. However:

1. that’s not consistent with admin.updateUser applying the rules
2. it feels like a less-secure default.

To Reproduce

Steps to reproduce the behavior:

1. Define a password strength rule through the UI (docs)
2. call supabase.auth.admin.createUser with a password that doesn't match the rule
3. Observe that the user was successfully created

Expected behavior

The request is rejected with an error indicating the password was too weak

Additional context

Migrated from an email thread w/ supabase security