Update server.js to trust UserAccounts securely (#2447)

* Update server.js to trust UserAccounts securely * Update zh-cn.json btw * Clarify security logic * update logic * Fix filtering of enabled users. * Fix account name logging * More friendly log * Even friendlier message * Revert deleted keys --------- Co-authored-by: Cohee <18619528+Cohee1207@users.noreply.github.com>
2025-06-05 21:59:27 +02:00 · 2024-07-04 02:24:03 +08:00
parent fa983521c0
commit 46c91bec67
3 changed files with 72 additions and 33 deletions
--- a/src/users.js
+++ b/src/users.js
@@ -681,27 +681,27 @@ async function createBackupArchive(handle, response) {
 }

 /**
- * Checks if any admin users are not password protected. If so, logs a warning.
- * @returns {Promise<void>}
+ * Gets all of the users.
+ * @returns {Promise<User[]>}
 */
-async function checkAccountsProtection() {
+async function getAllUsers() {
    if (!ENABLE_ACCOUNTS) {
-        return;
+        return [];
    }
-
    /**
     * @type {User[]}
     */
    const users = await storage.values();
-    const unprotectedUsers = users.filter(x => x.enabled && x.admin && !x.password);
-    if (unprotectedUsers.length > 0) {
-        console.warn(color.red('The following admin users are not password protected:'));
-        unprotectedUsers.forEach(x => console.warn(color.yellow(x.handle)));
-        console.log();
-        console.warn('Please disable them or set a password in the admin panel.');
-        console.log();
-        await delay(3000);
-    }
+    return users;
+}
+
+/**
+ * Gets all of the enabled users.
+ * @returns {Promise<User[]>}
+ */
+async function getAllEnabledUsers() {
+    const users = await getAllUsers();
+    return users.filter(x => x.enabled);
 }

 /**
@@ -738,6 +738,7 @@ module.exports = {
    shouldRedirectToLogin,
    createBackupArchive,
    tryAutoLogin,
-    checkAccountsProtection,
+    getAllUsers,
+    getAllEnabledUsers,
    router,
 };