Merge pull request #1244 from joshuaboniface/hotfix-authapi

Hotfix authapi
2024-07-08 23:00:51 +02:00 · 2019-04-18 17:58:54 -04:00 · 2019-04-18 17:58:54 -04:00 · 06a1e1f166
parent cde7375049 31ad366aa9
commit 06a1e1f166
3 changed files with 31 additions and 1 deletions
--- a/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
+++ b/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
@ -203,6 +203,7 @@ namespace Emby.Server.Implementations.HttpServer
                case DirectoryNotFoundException _:
                case FileNotFoundException _:
                case ResourceNotFoundException _: return 404;
+                case MethodNotAllowedException _: return 405;
                case RemoteServiceUnavailableException _: return 502;
                default: return 500;
            }
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@ -379,10 +379,15 @@ namespace MediaBrowser.Api
                throw new ResourceNotFoundException("User not found");
            }

+            if (!string.IsNullOrEmpty(request.Password) && string.IsNullOrEmpty(request.Pw))
+            {
+                throw new MethodNotAllowedException("Hashed-only passwords are not valid for this API.");
+            }
+
            return Post(new AuthenticateUserByName
            {
                Username = user.Name,
-                Password = request.Password,
+                Password = null, // This should always be null
                Pw = request.Pw
            });
        }
--- a/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs
+++ b/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs
@ -26,6 +26,30 @@ namespace MediaBrowser.Common.Extensions
        }
    }

+    /// <summary>
+    /// Class MethodNotAllowedException
+    /// </summary>
+    public class MethodNotAllowedException : Exception
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="MethodNotAllowedException" /> class.
+        /// </summary>
+        public MethodNotAllowedException()
+        {
+
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="MethodNotAllowedException" /> class.
+        /// </summary>
+        /// <param name="message">The message.</param>
+        public MethodNotAllowedException(string message)
+            : base(message)
+        {
+
+        }
+    }
+
    public class RemoteServiceUnavailableException : Exception
    {
        public RemoteServiceUnavailableException()