From 2337ee4d759bfd801609116eec418780c8a20c49 Mon Sep 17 00:00:00 2001
From: martylukyy <35452459+martylukyy@users.noreply.github.com>
Date: Sun, 24 Mar 2024 10:39:51 +0100
Subject: [PATCH] fix(autobrrctl): prevent empty password (#1468)

* fix(autobrrctl): prevent empty password

* fix(autobrrctl): prevent empty password for create-user aswell
fix(autobrrctl): stringify password in checks

* feat(autobrrctl): validate password length

---------

Co-authored-by: ze0s <ze0s@riseup.net>
---
 cmd/autobrrctl/main.go   | 26 +++++++++++++-------------
 internal/auth/service.go |  4 ++++
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/cmd/autobrrctl/main.go b/cmd/autobrrctl/main.go
index afc4c0e..308d082 100644
--- a/cmd/autobrrctl/main.go
+++ b/cmd/autobrrctl/main.go
@@ -286,32 +286,32 @@ func main() {
 	}
 }
 
-func readPassword() ([]byte, error) {
-	var password []byte
-	var err error
+func readPassword() (password []byte, err error) {
 	fd := int(os.Stdin.Fd())
 
 	if term.IsTerminal(fd) {
 		fmt.Printf("Password: ")
 		password, err = term.ReadPassword(int(os.Stdin.Fd()))
-		if err != nil {
-			return nil, err
-		}
 		fmt.Printf("\n")
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to read password from terminal")
+		}
 	} else {
-		//fmt.Fprintf(os.Stderr, "warning: Reading password from stdin.\n")
 		scanner := bufio.NewScanner(os.Stdin)
 		if !scanner.Scan() {
 			if err := scanner.Err(); err != nil {
-				log.Fatalf("failed to read password from stdin: %v", err)
+				return nil, errors.Wrap(err, "failed to read password from stdin")
 			}
-			log.Fatalf("failed to read password from stdin: stdin is empty %v", err)
-		}
-		password = scanner.Bytes()
 
-		if len(password) == 0 {
-			return nil, errors.New("zero length password")
+			return nil, errors.New("password input is empty")
 		}
+
+		password = scanner.Bytes()
+	}
+
+	// make sure the password is not empty
+	if len(password) == 0 {
+		return nil, errors.New("zero length password")
 	}
 
 	return password, nil
diff --git a/internal/auth/service.go b/internal/auth/service.go
index faa749e..b31aaf1 100644
--- a/internal/auth/service.go
+++ b/internal/auth/service.go
@@ -154,5 +154,9 @@ func (s *service) ComparePasswordAndHash(password string, hash string) (match bo
 }
 
 func (s *service) CreateHash(password string) (hash string, err error) {
+	if password == "" {
+		return "", errors.New("must supply non empty password to CreateHash")
+	}
+
 	return argon2id.CreateHash(password, argon2id.DefaultParams)
 }