Stronger passwordless account checks (fixes #2780)

This commit is contained in:
Neil Alexander 2022-10-10 10:39:29 +01:00
parent f1b8df0f49
commit 980fa55846
No known key found for this signature in database
GPG key ID: A02A2019A2BB0944
2 changed files with 5 additions and 0 deletions

View file

@ -838,6 +838,8 @@ func (a *UserInternalAPI) QueryAccountByPassword(ctx context.Context, req *api.Q
return nil return nil
case bcrypt.ErrMismatchedHashAndPassword: // user exists, but password doesn't match case bcrypt.ErrMismatchedHashAndPassword: // user exists, but password doesn't match
return nil return nil
case bcrypt.ErrHashTooShort: // user exists, but probably a passwordless account
return nil
default: default:
res.Exists = true res.Exists = true
res.Account = acc res.Account = acc

View file

@ -75,6 +75,9 @@ func (d *Database) GetAccountByPassword(
if err != nil { if err != nil {
return nil, err return nil, err
} }
if hash == "" {
return nil, bcrypt.ErrHashTooShort
}
if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil { if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil {
return nil, err return nil, err
} }