fix: Force false result when comparing against dummy hash for passwordless users

mtrezza · mtrezza · commit c323b42a9238 · 2026-04-05T15:06:52.000+01:00
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -127,9 +127,12 @@ export class UsersRouter extends ClassesRouter {
             user = results[0];
           }
 
-          const hashedPassword =
-            typeof user.password === 'string' ? user.password : passwordCrypto.dummyHash;
-          return passwordCrypto.compare(password, hashedPassword);
+          const hasStoredPassword =
+            typeof user.password === 'string' && user.password.length > 0;
+          const hashedPassword = hasStoredPassword ? user.password : passwordCrypto.dummyHash;
+          return passwordCrypto
+            .compare(password, hashedPassword)
+            .then(correct => (hasStoredPassword ? correct : false));
         })
         .then(correct => {
           isValidPassword = correct;
