From 980fa55846811eeff89f116c49b38b085143c64e Mon Sep 17 00:00:00 2001
From: Neil Alexander <neilalexander@users.noreply.github.com>
Date: Mon, 10 Oct 2022 10:39:29 +0100
Subject: [PATCH] Stronger passwordless account checks (fixes #2780)

---
 userapi/internal/api.go           | 2 ++
 userapi/storage/shared/storage.go | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/userapi/internal/api.go b/userapi/internal/api.go
index 591faffd6..2f7795dfe 100644
--- a/userapi/internal/api.go
+++ b/userapi/internal/api.go
@@ -838,6 +838,8 @@ func (a *UserInternalAPI) QueryAccountByPassword(ctx context.Context, req *api.Q
 		return nil
 	case bcrypt.ErrMismatchedHashAndPassword: // user exists, but password doesn't match
 		return nil
+	case bcrypt.ErrHashTooShort: // user exists, but probably a passwordless account
+		return nil
 	default:
 		res.Exists = true
 		res.Account = acc
diff --git a/userapi/storage/shared/storage.go b/userapi/storage/shared/storage.go
index 3ff299f1b..09eeedc9f 100644
--- a/userapi/storage/shared/storage.go
+++ b/userapi/storage/shared/storage.go
@@ -75,6 +75,9 @@ func (d *Database) GetAccountByPassword(
 	if err != nil {
 		return nil, err
 	}
+	if hash == "" {
+		return nil, bcrypt.ErrHashTooShort
+	}
 	if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil {
 		return nil, err
 	}