From 980fa55846811eeff89f116c49b38b085143c64e Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Mon, 10 Oct 2022 10:39:29 +0100 Subject: [PATCH] Stronger passwordless account checks (fixes #2780) --- userapi/internal/api.go | 2 ++ userapi/storage/shared/storage.go | 3 +++ 2 files changed, 5 insertions(+) diff --git a/userapi/internal/api.go b/userapi/internal/api.go index 591faffd..2f7795df 100644 --- a/userapi/internal/api.go +++ b/userapi/internal/api.go @@ -838,6 +838,8 @@ func (a *UserInternalAPI) QueryAccountByPassword(ctx context.Context, req *api.Q return nil case bcrypt.ErrMismatchedHashAndPassword: // user exists, but password doesn't match return nil + case bcrypt.ErrHashTooShort: // user exists, but probably a passwordless account + return nil default: res.Exists = true res.Account = acc diff --git a/userapi/storage/shared/storage.go b/userapi/storage/shared/storage.go index 3ff299f1..09eeedc9 100644 --- a/userapi/storage/shared/storage.go +++ b/userapi/storage/shared/storage.go @@ -75,6 +75,9 @@ func (d *Database) GetAccountByPassword( if err != nil { return nil, err } + if hash == "" { + return nil, bcrypt.ErrHashTooShort + } if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil { return nil, err }