From 25fed0aa8d377e5ff84fa09e5cec28efd0f4dd53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Thu, 6 Sep 2018 14:32:44 -0400
Subject: [PATCH] change isPasswordCorrect to return false if user does not
 have password

---
 src/socket.io/user.js  |  6 ++++++
 src/user/password.js   | 22 ++++++++--------------
 test/authentication.js | 13 +++++++++++++
 3 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/src/socket.io/user.js b/src/socket.io/user.js
index 2df4cfa612..ece95c875e 100644
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@@ -37,6 +37,12 @@ SocketUser.deleteAccount = function (socket, data, callback) {
 
 	async.waterfall([
 		function (next) {
+			user.hasPassword(socket.uid, next);
+		},
+		function (hasPassword, next) {
+			if (!hasPassword) {
+				return next();
+			}
 			user.isPasswordCorrect(socket.uid, data.password, socket.ip, function (err, ok) {
 				next(err || (!ok ? new Error('[[error:invalid-password]]') : undefined));
 			});
diff --git a/src/user/password.js b/src/user/password.js
index 78dc61cec4..bfb65f9cb3 100644
--- a/src/user/password.js
+++ b/src/user/password.js
@@ -24,9 +24,7 @@ module.exports = function (User) {
 			},
 			function (_hashedPassword, next) {
 				hashedPassword = _hashedPassword;
-				if (uid && !hashedPassword) {
-					return callback(null, true);
-				} else if (!hashedPassword) {
+				if (!hashedPassword) {
 					// Non-existant user, submit fake hash for comparison
 					hashedPassword = '';
 				}
@@ -37,17 +35,13 @@ module.exports = function (User) {
 			function (next) {
 				Password.compare(password, hashedPassword, next);
 			},
-		], function (err, ok) {
-			if (err) {
-				return callback(err);
-			}
-
-			if (ok) {
-				User.auth.clearLoginAttempts(uid);
-			}
-
-			callback(null, ok);
-		});
+			function (ok, next) {
+				if (ok) {
+					User.auth.clearLoginAttempts(uid);
+				}
+				next(null, ok);
+			},
+		], callback);
 	};
 
 	User.hasPassword = function (uid, callback) {
diff --git a/test/authentication.js b/test/authentication.js
index b90d585971..650fcac74b 100644
--- a/test/authentication.js
+++ b/test/authentication.js
@@ -303,6 +303,19 @@ describe('authentication', function () {
 		});
 	});
 
+	it('should fail to login if user does not have password field in db', function (done) {
+		user.create({ username: 'hasnopassword', email: 'no@pass.org' }, function (err, uid) {
+			assert.ifError(err);
+			loginUser('hasnopassword', 'doesntmatter', function (err, response, body) {
+				assert.ifError(err);
+				console.log(response.statusCode, body);
+				assert.equal(response.statusCode, 403);
+				assert.equal(body, '[[error:invalid-login-credentials]]');
+				done();
+			});
+		});
+	});
+
 	it('should fail to login if password is longer than 4096', function (done) {
 		var longPassword;
 		for (var i = 0; i < 5000; i++) {