From 696d870c2f5b6c414eb9d389b466e8131f35f212 Mon Sep 17 00:00:00 2001
From: michael-pattern <michael@patternresearch.net>
Date: Wed, 8 May 2024 17:52:50 -0400
Subject: [PATCH] Allow password-based user login only when password is truthy

---
 packages/api/src/controllers/auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/api/src/controllers/auth.js b/packages/api/src/controllers/auth.js
index 74c5ad450..0171f3ae0 100644
--- a/packages/api/src/controllers/auth.js
+++ b/packages/api/src/controllers/auth.js
@@ -137,7 +137,7 @@ module.exports = {
       return { error: 'Logins not configured' };
     }
     const foundLogin = logins.find(x => x.login == login);
-    if (foundLogin && foundLogin.password == password) {
+    if (foundLogin && foundLogin.password && foundLogin.password == password) {
       return {
         accessToken: jwt.sign({ login }, tokenSecret, { expiresIn: getTokenLifetime() }),
       };