Stronger passwordless account checks (fixes #2780)
This commit is contained in:
parent
f1b8df0f49
commit
980fa55846
|
@ -838,6 +838,8 @@ func (a *UserInternalAPI) QueryAccountByPassword(ctx context.Context, req *api.Q
|
||||||
return nil
|
return nil
|
||||||
case bcrypt.ErrMismatchedHashAndPassword: // user exists, but password doesn't match
|
case bcrypt.ErrMismatchedHashAndPassword: // user exists, but password doesn't match
|
||||||
return nil
|
return nil
|
||||||
|
case bcrypt.ErrHashTooShort: // user exists, but probably a passwordless account
|
||||||
|
return nil
|
||||||
default:
|
default:
|
||||||
res.Exists = true
|
res.Exists = true
|
||||||
res.Account = acc
|
res.Account = acc
|
||||||
|
|
|
@ -75,6 +75,9 @@ func (d *Database) GetAccountByPassword(
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
if hash == "" {
|
||||||
|
return nil, bcrypt.ErrHashTooShort
|
||||||
|
}
|
||||||
if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil {
|
if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue