security: patch primsa expansion on token request

timothycarambat · timothycarambat · commit 2374939ffb55 · 2024-03-29T11:47:30.000-07:00
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
@@ -105,7 +105,7 @@ function systemEndpoints(app) {
 
       if (await SystemSettings.isMultiUserMode()) {
         const { username, password } = reqBody(request);
-        const existingUser = await User.get({ username });
+        const existingUser = await User.get({ username: String(username) });
 
         if (!existingUser) {
           await EventLogs.logEvent(
@@ -125,7 +125,7 @@ function systemEndpoints(app) {
           return;
         }
 
-        if (!bcrypt.compareSync(password, existingUser.password)) {
+        if (!bcrypt.compareSync(String(password), existingUser.password)) {
           await EventLogs.logEvent(
             "failed_login_invalid_password",
             {

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ function systemEndpoints(app) {`
`105`	`105`
`106`	`106`	`if (await SystemSettings.isMultiUserMode()) {`
`107`	`107`	`const { username, password } = reqBody(request);`
`108`		`- const existingUser = await User.get({ username });`
	`108`	`+ const existingUser = await User.get({ username: String(username) });`
`109`	`109`
`110`	`110`	`if (!existingUser) {`
`111`	`111`	`await EventLogs.logEvent(`
`@@ -125,7 +125,7 @@ function systemEndpoints(app) {`
`125`	`125`	`return;`
`126`	`126`	`}`
`127`	`127`
`128`		`- if (!bcrypt.compareSync(password, existingUser.password)) {`
	`128`	`+ if (!bcrypt.compareSync(String(password), existingUser.password)) {`
`129`	`129`	`await EventLogs.logEvent(`
`130`	`130`	`"failed_login_invalid_password",`
`131`	`131`	`{`