change isPasswordCorrect to return false if user does not have password

2025-11-03 20:45:58 +01:00 · 2018-09-06 14:32:44 -04:00
parent 84a0a68b2b
commit 25fed0aa8d
3 changed files with 27 additions and 14 deletions
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@@ -37,6 +37,12 @@ SocketUser.deleteAccount = function (socket, data, callback) {

 	async.waterfall([
 		function (next) {
+			user.hasPassword(socket.uid, next);
+		},
+		function (hasPassword, next) {
+			if (!hasPassword) {
+				return next();
+			}
 			user.isPasswordCorrect(socket.uid, data.password, socket.ip, function (err, ok) {
 				next(err || (!ok ? new Error('[[error:invalid-password]]') : undefined));
 			});
--- a/src/user/password.js
+++ b/src/user/password.js
@@ -24,9 +24,7 @@ module.exports = function (User) {
 			},
 			function (_hashedPassword, next) {
 				hashedPassword = _hashedPassword;
-				if (uid && !hashedPassword) {
-					return callback(null, true);
-				} else if (!hashedPassword) {
+				if (!hashedPassword) {
 					// Non-existant user, submit fake hash for comparison
 					hashedPassword = '';
 				}
@@ -37,17 +35,13 @@ module.exports = function (User) {
 			function (next) {
 				Password.compare(password, hashedPassword, next);
 			},
-		], function (err, ok) {
-			if (err) {
-				return callback(err);
-			}
-
+			function (ok, next) {
 				if (ok) {
 					User.auth.clearLoginAttempts(uid);
 				}
-
-			callback(null, ok);
-		});
+				next(null, ok);
+			},
+		], callback);
 	};

 	User.hasPassword = function (uid, callback) {
--- a/test/authentication.js
+++ b/test/authentication.js
@@ -303,6 +303,19 @@ describe('authentication', function () {
 		});
 	});

+	it('should fail to login if user does not have password field in db', function (done) {
+		user.create({ username: 'hasnopassword', email: 'no@pass.org' }, function (err, uid) {
+			assert.ifError(err);
+			loginUser('hasnopassword', 'doesntmatter', function (err, response, body) {
+				assert.ifError(err);
+				console.log(response.statusCode, body);
+				assert.equal(response.statusCode, 403);
+				assert.equal(body, '[[error:invalid-login-credentials]]');
+				done();
+			});
+		});
+	});
+
 	it('should fail to login if password is longer than 4096', function (done) {
 		var longPassword;
 		for (var i = 0; i < 5000; i++) {