From 77cd736c06e9c5e2536d4328babafd0d42bca829 Mon Sep 17 00:00:00 2001
From: Jeidnx <jeidnx@domainhier.de>
Date: Thu, 21 Nov 2024 10:46:44 +0100
Subject: [PATCH] explicitly reject empty hashes

---
 .../java/me/kavin/piped/server/handlers/auth/UserHandlers.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/me/kavin/piped/server/handlers/auth/UserHandlers.java b/src/main/java/me/kavin/piped/server/handlers/auth/UserHandlers.java
index b3471dc..1412ce8 100644
--- a/src/main/java/me/kavin/piped/server/handlers/auth/UserHandlers.java
+++ b/src/main/java/me/kavin/piped/server/handlers/auth/UserHandlers.java
@@ -96,6 +96,9 @@ public class UserHandlers {
     }
 
     private static boolean hashMatch(String hash, String pass) {
+        if (hash.isBlank()) {
+            return false;
+        }
         return hash.startsWith("$argon2") ?
                 argon2PasswordEncoder.matches(pass, hash) :
                 bcryptPasswordEncoder.matches(pass, hash);