Fix invalid password hash error message

Previously, posting definitions with an invalid password hash (e.g.,
"password_hash": "invalid_hash") resulted in an unhelpful error:
"Negative count: -10"

This occurred because the password parsing code didn't validate the
decoded hash size before extracting the salt, causing ArgumentError
when salt_size became negative.

Added validation to catch:
- Invalid Base64 encoding in password hashes
- Decoded hash size smaller than required digest size

Now returns clear error messages:
- "Invalid password hash: not valid Base64 encoding (...)"
- "Invalid password hash: decoded size X bytes is smaller than required
  digest size Y bytes for <algorithm>"

Also added test coverage for:
- Invalid password hash error handling
- Exchange-to-exchange bindings in definitions upload

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: carlhoerberg

spec/api/definitions_spec.cr

@@ -226,7 +226,28 @@ describe LavinMQ::HTTP::Server do
         body["reason"].as_s.should eq("Malformed JSON")
       end
     end
+
+    it "should return sensible error for invalid password hash" do
+      with_http_server do |http, _|
+        body = %({
+          "users": [{
+            "name": "testuser",
+            "password_hash": "invalid_hash",
+            "tags": "administrator"
+          }]
+        })
+        response = http.post("/api/definitions", body: body)
+        response.status_code.should eq 400
+        error_body = JSON.parse(response.body)
+        error_body["error"].as_s.should eq "bad_request"
+        # Should have a sensible error message, not just "Negative count: -10"
+        reason = error_body["reason"].as_s
+        reason.should_not contain("Negative count")
+        reason.should contain("Invalid password hash")
+      end
+    end
   end
+
   describe "GET /api/definitions" do
     it "exports users" do
       with_http_server do |http, _|
@@ -581,6 +602,7 @@ describe LavinMQ::HTTP::Server do
       end
     end
   end
+
   describe "POST /api/definitions/upload" do
     it "imports definitions from uploaded file (no Referer)" do
       with_http_server do |http, s|

src/lavinmq/auth/password.cr

@@ -59,7 +59,14 @@ module LavinMQ
             @raw_hash = raw_hash
           end
 
-          bytes = Base64.decode @raw_hash
+          begin
+            bytes = Base64.decode @raw_hash
+          rescue ex : Base64::Error
+            raise InvalidPasswordHash.new("Invalid password hash: not valid Base64 encoding (#{ex.message})")
+          end
+          if bytes.size < digest_size
+            raise InvalidPasswordHash.new("Invalid password hash: decoded size #{bytes.size} bytes is smaller than required digest size #{digest_size} bytes for #{hash_algorithm}")
+          end
           salt_size = bytes.size - digest_size
           @salt = bytes[0, salt_size]
           @hash = bytes + salt_size