MirrorHub/dendrite
0
0
Fork 0
mirror of https://github.com/matrix-org/dendrite synced 2024-06-22 22:38:23 +02:00
Code Issues Releases Wiki Activity

Stronger passwordless account checks (fixes #2780)

Browse source
This commit is contained in:
Neil Alexander 2022-10-10 10:39:29 +01:00
parent f1b8df0f49
commit 980fa55846
No known key found for this signature in database
GPG key ID: A02A2019A2BB0944
2 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
userapi/internal/api.go
View file

@ -838,6 +838,8 @@ func (a *UserInternalAPI) QueryAccountByPassword(ctx context.Context, req *api.Q
return nil
case bcrypt.ErrMismatchedHashAndPassword: // user exists, but password doesn't match
return nil
case bcrypt.ErrHashTooShort: // user exists, but probably a passwordless account
return nil
default:
res.Exists = true
res.Account = acc

3
userapi/storage/shared/storage.go
View file

@ -75,6 +75,9 @@ func (d *Database) GetAccountByPassword(
if err != nil {
return nil, err
}
if hash == "" {
return nil, bcrypt.ErrHashTooShort
}
if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil {
return nil, err
}