server: disallow empty username or password

2026-05-30 00:10:26 +01:00 · 2022-03-13 13:40:06 -07:00
parent 41aa88e750
commit bd6860d92b
3 changed files with 11 additions and 4 deletions
--- a/server/package-lock.json
+++ b/server/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@scrypted/server",
-  "version": "0.0.154",
+  "version": "0.0.155",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "@scrypted/server",
-      "version": "0.0.154",
+      "version": "0.0.155",
      "license": "ISC",
      "dependencies": {
        "@mapbox/node-pre-gyp": "^1.0.8",
--- a/server/package.json
+++ b/server/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@scrypted/server",
-  "version": "0.0.154",
+  "version": "0.0.155",
  "description": "",
  "dependencies": {
    "@mapbox/node-pre-gyp": "^1.0.8",
--- a/server/src/scrypted-server-main.ts
+++ b/server/src/scrypted-server-main.ts
@@ -364,7 +364,6 @@ async function start() {
        const maxAge = 86400000;

        if (hasLogin) {
-
            const user = await db.tryGet(ScryptedUser, username);
            if (!user) {
                res.send({
@@ -409,6 +408,14 @@ async function start() {
            return;
        }

+        if (!username || !password) {
+            res.send({
+                error: 'Username and password must not be empty.',
+                hasLogin,
+            });
+            return;
+        }
+
        const user = new ScryptedUser();
        user._id = username;
        user.salt = crypto.randomBytes(64).toString('base64');