From b83e42af260d61cdd26bac9d59f78e48a3710cbb Mon Sep 17 00:00:00 2001
From: Sayan Nandan <nandansayan@outlook.com>
Date: Sun, 24 Mar 2024 11:42:03 +0530
Subject: [PATCH] server: Ensure that password is nonempty when verifying with
 rcrypt

---
 server/src/engine/core/system_db.rs | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/server/src/engine/core/system_db.rs b/server/src/engine/core/system_db.rs
index f9d0a4cb..27e5321c 100644
--- a/server/src/engine/core/system_db.rs
+++ b/server/src/engine/core/system_db.rs
@@ -84,14 +84,19 @@ impl SystemDatabase {
             .read()
             .get(username)
             .map(|user| {
-                if rcrypt::verify(password, &user.phash).unwrap() {
-                    if username == Self::ROOT_ACCOUNT {
-                        VerifyUser::OkayRoot
-                    } else {
-                        VerifyUser::Okay
+                if password.is_empty() {
+                    return VerifyUser::IncorrectPassword;
+                }
+                match rcrypt::verify(password, user.hash()) {
+                    Ok(true) => {
+                        if username == Self::ROOT_ACCOUNT {
+                            VerifyUser::OkayRoot
+                        } else {
+                            VerifyUser::Okay
+                        }
                     }
-                } else {
-                    VerifyUser::IncorrectPassword
+                    Ok(false) => VerifyUser::IncorrectPassword,
+                    Err(_) => unreachable!(),
                 }
             })
             .unwrap_or(VerifyUser::NotFound)