From 287f4c2c411d7ee48ab9540fa59f6555a20e1f6d Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 5 Aug 2022 13:42:02 -0400
Subject: [PATCH] fix: do not throw if password passed into `isPasswordCorrect`
 is invalid, just return false

---
 src/user/password.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/user/password.js b/src/user/password.js
index 6761ed372d..f70ba1aa13 100644
--- a/src/user/password.js
+++ b/src/user/password.js
@@ -26,7 +26,12 @@ module.exports = function (User) {
 			hashedPassword = '';
 		}
 
-		User.isPasswordValid(password, 0);
+		try {
+			User.isPasswordValid(password, 0);
+		} catch (e) {
+			return false;
+		}
+
 		await User.auth.logAttempt(uid, ip);
 		const ok = await Password.compare(password, hashedPassword, !!parseInt(shaWrapped, 10));
 		if (ok) {