From 06a7bdd3ce950cdf7152fc12a95b04f7110bb3d9 Mon Sep 17 00:00:00 2001
From: QuantumEntangledAndy <sheepchaan@gmail.com>
Date: Wed, 9 Oct 2024 15:04:28 +0700
Subject: [PATCH] Only allow login via basic per-user if user password is set

---
 src/middleware/basicAuth.js | 4 ----
 src/users.js                | 5 -----
 2 files changed, 9 deletions(-)

diff --git a/src/middleware/basicAuth.js b/src/middleware/basicAuth.js
index be7a153eb..07408e7bd 100644
--- a/src/middleware/basicAuth.js
+++ b/src/middleware/basicAuth.js
@@ -43,10 +43,6 @@ const basicAuthMiddleware = async function (request, response, callback) {
                 if (user && user.enabled && (user.password && user.password === getPasswordHash(password, user.salt))) {
                     return callback();
                 }
-                else if (user && user.enabled && !user.password && !password) {
-                    // Login to an account without password
-                    return callback();
-                }
             }
         }
     }
diff --git a/src/users.js b/src/users.js
index 175db03f3..8d5d70630 100644
--- a/src/users.js
+++ b/src/users.js
@@ -678,11 +678,6 @@ async function basicUserLogin(request) {
                 request.session.handle = userHandle;
                 return true;
             }
-            else if (user && user.enabled && !user.password && !password) {
-                // Login to an account without password
-                request.session.handle = userHandle;
-                return true;
-            }
         }
     }