Greenfield: Users API fixes (#6425)

* Do not crash when creatuing users without password

* More precise error message for user approval toggling

BTCPayServer/Controllers/GreenField/GreenfieldUsersController.cs

@@ -112,14 +112,13 @@ namespace BTCPayServer.Controllers.Greenfield
                 return this.UserNotFound();
             }
 
-            var success = false;
             if (user.RequiresApproval)
             {
-                success = await _userService.SetUserApproval(user.Id, request.Approved, Request.GetAbsoluteRootUri());
+                return await _userService.SetUserApproval(user.Id, request.Approved, Request.GetAbsoluteRootUri())
+                    ? Ok()
+                    : this.CreateAPIError("invalid-state", $"User is already {(request.Approved ? "approved" : "unapproved")}");
             }
-
-            return success ? Ok() : this.CreateAPIError("invalid-state",
-                $"{(request.Approved ? "Approving" : "Unapproving")} user failed");
+            return this.CreateAPIError("invalid-state", $"{(request.Approved ? "Approving" : "Unapproving")} user failed: No approval required");
         }
 
         [Authorize(Policy = Policies.CanViewUsers, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
@@ -350,21 +349,25 @@ namespace BTCPayServer.Controllers.Greenfield
             blob.Name = request.Name;
             blob.ImageUrl = request.ImageUrl;
             user.SetBlob(blob);
-            var passwordValidation = await this._passwordValidator.ValidateAsync(_userManager, user, request.Password);
-            if (!passwordValidation.Succeeded)
+            var hasPassword = !string.IsNullOrEmpty(request.Password);
+            if (hasPassword)
             {
-                foreach (var error in passwordValidation.Errors)
+                var passwordValidation = await _passwordValidator.ValidateAsync(_userManager, user, request.Password);
+                if (!passwordValidation.Succeeded)
                 {
-                    ModelState.AddModelError(nameof(request.Password), error.Description);
+                    foreach (var error in passwordValidation.Errors)
+                    {
+                        ModelState.AddModelError(nameof(request.Password), error.Description);
+                    }
+                    return this.CreateValidationError(ModelState);
                 }
-                return this.CreateValidationError(ModelState);
             }
             if (!isAdmin)
             {
                 if (!await _throttleService.Throttle(ZoneLimits.Register, this.HttpContext.Connection.RemoteIpAddress, cancellationToken))
                     return new TooManyRequestsResult(ZoneLimits.Register);
             }
-            var identityResult = await _userManager.CreateAsync(user, request.Password);
+            var identityResult = hasPassword ? await _userManager.CreateAsync(user, request.Password) : await _userManager.CreateAsync(user);
             if (!identityResult.Succeeded)
             {
                 foreach (var error in identityResult.Errors)