From b7ac0f7991361d995f5744d04bdead3e040a8d89 Mon Sep 17 00:00:00 2001
From: muxator <a.mux@inwind.it>
Date: Wed, 1 Apr 2020 04:05:38 +0200
Subject: [PATCH] Settings: allow the existence of "password" and "hash"
 attributes for users.

This brings back compatibility with ep_hash_auth, which was inadvertently broken
with 28a3bba4c106.
Based on work by John McLear.

Fixes #3681.
---
 src/node/utils/Settings.js | 42 ++++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/src/node/utils/Settings.js b/src/node/utils/Settings.js
index 47712b9bd..f64d65878 100644
--- a/src/node/utils/Settings.js
+++ b/src/node/utils/Settings.js
@@ -631,26 +631,50 @@ exports.reloadSettings = function reloadSettings() {
 
   if (exports.users) {
     /*
-     * Prune from export.users any user that has no password attribute, or whose
-     * password attribute is "null".
+     * Each user must have exactly one of ("password", "hash") attributes set,
+     * and its value must be not null.
      *
-     * This is used by the settings.json in the default Dockerfile to eschew
-     * creating an admin user if no password is set.
+     * Prune from export.users any user that does not satisfy this condition,
+     * including the ones that (by chance) have both "password" and "hash" set.
+     *
+     * This mechanism is used by the settings.json in the default Dockerfile to
+     * eschew creating an admin user if no password (or hash) is set.
      */
     var filteredUsers = _.pick(exports.users, function(userProperties, username) {
-      if (userProperties.hasOwnProperty("password") === false) {
-        console.warn(`Removing user "${username}", because it has no "password" field.`);
+      if ((userProperties.hasOwnProperty("password") === false) && (userProperties.hasOwnProperty("hash") === false)) {
+        console.warn(`Removing user "${username}", because it has no "password" or "hash" field.`);
 
         return false;
       }
 
-      if (userProperties.password === null) {
-        console.warn(`Removing user "${username}", because its password is null.`);
+      if (userProperties.hasOwnProperty("password") && userProperties.hasOwnProperty("hash")) {
+        console.warn(`Removing user "${username}", because it has both "password" and "hash" fields set. THIS SHOULD NEVER HAPPEN.`);
 
         return false;
       }
 
-      // This user has a password, and its password is not null. Keep it.
+      /*
+       * If we arrive here, the user has exactly a password or a hash set.
+       * They may still be null
+       */
+      if (userProperties.hasOwnProperty("password") && (userProperties.password === null)) {
+        console.warn(`Removing user "${username}", because its "password" is null.`);
+
+        return false;
+      }
+
+      if (userProperties.hasOwnProperty("hash") && (userProperties.hash === null)) {
+        console.warn(`Removing user "${username}", because its "hash" value is null.`);
+
+        return false;
+      }
+
+      /*
+       * This user has a password, and its password is not null, or it has an
+       * hash, and its hash is not null (not both).
+       *
+       * Keep it.
+       */
       return true;
     });