From 4b3469335ed2bd4d43a7f3dc945e7220fd05bdb4 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Sat, 6 Jun 2020 12:52:22 +0200
Subject: [PATCH] Fail auth on empty password in DB

---
 downstream.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/downstream.go b/downstream.go
index 4d7499f..e314151 100644
--- a/downstream.go
+++ b/downstream.go
@@ -688,6 +688,11 @@ func (dc *downstreamConn) authenticate(username, password string) error {
 		return errAuthFailed
 	}
 
+	// Password auth disabled
+	if u.Password == "" {
+		return errAuthFailed
+	}
+
 	err = bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password))
 	if err != nil {
 		dc.logger.Printf("failed authentication for %q: %v", username, err)