server: Ensure that password is nonempty when verifying with rcrypt

server/src/engine/core/system_db.rs

@@ -84,14 +84,19 @@ impl SystemDatabase {
             .read()
             .get(username)
             .map(|user| {
-                if rcrypt::verify(password, &user.phash).unwrap() {
+                if password.is_empty() {
-                    if username == Self::ROOT_ACCOUNT {
+                    return VerifyUser::IncorrectPassword;
-                        VerifyUser::OkayRoot
+                }
-                    } else {
+                match rcrypt::verify(password, user.hash()) {
-                        VerifyUser::Okay
+                    Ok(true) => {
+                        if username == Self::ROOT_ACCOUNT {
+                            VerifyUser::OkayRoot
+                        } else {
+                            VerifyUser::Okay
+                        }
                     }
-                } else {
+                    Ok(false) => VerifyUser::IncorrectPassword,
-                    VerifyUser::IncorrectPassword
+                    Err(_) => unreachable!(),
                 }
             })
             .unwrap_or(VerifyUser::NotFound)