security: patch primsa expansion on token request

Mintplex-Labs · Mar 29, 2024 · 2374939 · 2374939
1 parent 52fac84
commit 2374939
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
@@ -105,7 +105,7 @@ function systemEndpoints(app) {
 
       if (await SystemSettings.isMultiUserMode()) {
         const { username, password } = reqBody(request);
-        const existingUser = await User.get({ username });
+        const existingUser = await User.get({ username: String(username) });
 
         if (!existingUser) {
           await EventLogs.logEvent(
@@ -125,7 +125,7 @@ function systemEndpoints(app) {
           return;
         }
 
-        if (!bcrypt.compareSync(password, existingUser.password)) {
+        if (!bcrypt.compareSync(String(password), existingUser.password)) {
           await EventLogs.logEvent(
             "failed_login_invalid_password",
             {