From c25ae04fcacbad9cf7a6e95cfdd54908fd954f37 Mon Sep 17 00:00:00 2001
From: dbauszus-glx <dennis.bauszus@geolytix.co.uk>
Date: Wed, 7 Feb 2024 12:56:02 +0000
Subject: [PATCH 1/2] Err on null password login

---
 mod/user/fromACL.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mod/user/fromACL.js b/mod/user/fromACL.js
index 51adc658cb..82500e4d72 100644
--- a/mod/user/fromACL.js
+++ b/mod/user/fromACL.js
@@ -80,6 +80,8 @@ async function getUser(request) {
 
   if (!user) return new Error('auth_failed')
 
+  if (!user.password) return new Error('no_user_password')
+
   // Blocked user cannot login.
   if (user.blocked) {
     return new Error(await languageTemplates({

From 8c74d5d8c650f132c2f6993fd3b2adb7d934e2aa Mon Sep 17 00:00:00 2001
From: dbauszus-glx <dennis.bauszus@geolytix.co.uk>
Date: Wed, 7 Feb 2024 13:06:48 +0000
Subject: [PATCH 2/2] return fail message; do not lock account

---
 mod/user/fromACL.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/mod/user/fromACL.js b/mod/user/fromACL.js
index 82500e4d72..443736ff58 100644
--- a/mod/user/fromACL.js
+++ b/mod/user/fromACL.js
@@ -52,6 +52,12 @@ module.exports = async (req) => {
 
   const user = await getUser(request)
 
+  if (user === undefined) {
+
+    // This will happen when a user has a null password.
+    return new Error('auth_failed')
+  }
+
   if (user instanceof Error) {
 
     return await failedLogin(request)
@@ -80,7 +86,7 @@ async function getUser(request) {
 
   if (!user) return new Error('auth_failed')
 
-  if (!user.password) return new Error('no_user_password')
+  if (!user.password) return;
 
   // Blocked user cannot login.
   if (user.blocked) {