Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-12-23 17:00:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

change isPasswordCorrect to return false if user does not have password

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2018-09-06 14:32:44 -04:00
parent 84a0a68b2b
commit 25fed0aa8d
3 changed files with 27 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/socket.io/user.js
View File

@@ -37,6 +37,12 @@ SocketUser.deleteAccount = function (socket, data, callback) {
async.waterfall([ async.waterfall([
function (next) { function (next) {
user.hasPassword(socket.uid, next);
},
function (hasPassword, next) {
if (!hasPassword) {
return next();
}
user.isPasswordCorrect(socket.uid, data.password, socket.ip, function (err, ok) { user.isPasswordCorrect(socket.uid, data.password, socket.ip, function (err, ok) {
next(err || (!ok ? new Error('[[error:invalid-password]]') : undefined)); next(err || (!ok ? new Error('[[error:invalid-password]]') : undefined));
}); });

22
src/user/password.js
View File

@@ -24,9 +24,7 @@ module.exports = function (User) {
}, },
function (_hashedPassword, next) { function (_hashedPassword, next) {
hashedPassword = _hashedPassword; hashedPassword = _hashedPassword;
if (uid && !hashedPassword) { if (!hashedPassword) {
return callback(null, true);
} else if (!hashedPassword) {
// Non-existant user, submit fake hash for comparison // Non-existant user, submit fake hash for comparison
hashedPassword = ''; hashedPassword = '';
} }
@@ -37,17 +35,13 @@ module.exports = function (User) {
function (next) { function (next) {
Password.compare(password, hashedPassword, next); Password.compare(password, hashedPassword, next);
}, },
], function (err, ok) { function (ok, next) {
if (err) { if (ok) {
return callback(err); User.auth.clearLoginAttempts(uid);
} }
next(null, ok);
if (ok) { },
User.auth.clearLoginAttempts(uid); ], callback);
}
callback(null, ok);
});
}; };
User.hasPassword = function (uid, callback) { User.hasPassword = function (uid, callback) {

13
test/authentication.js
View File

@@ -303,6 +303,19 @@ describe('authentication', function () {
}); });
}); });
it('should fail to login if user does not have password field in db', function (done) {
user.create({ username: 'hasnopassword', email: 'no@pass.org' }, function (err, uid) {
assert.ifError(err);
loginUser('hasnopassword', 'doesntmatter', function (err, response, body) {
assert.ifError(err);
console.log(response.statusCode, body);
assert.equal(response.statusCode, 403);
assert.equal(body, '[[error:invalid-login-credentials]]');
done();
});
});
});
it('should fail to login if password is longer than 4096', function (done) { it('should fail to login if password is longer than 4096', function (done) {
var longPassword; var longPassword;
for (var i = 0; i < 5000; i++) { for (var i = 0; i < 5000; i++) {