DavidMStraub
commented
4 years ago This turned out to be even simpler. A trivial secret key is now used in case of an empty password, such that the key can never be (accidentally) left the same after switching to a non-empty password.
At the moment, the JWT authentication is used even for an empty password. This is problematic because a refresh token obtained while the password is empty would grant eternal access even when the password is set to something non-empty (unless the secret is changed).
To mitigate this, without having to change the frontend code, the login endpoint should return an empty but long-lived access token. Once the password is changed to something non-empty, this will block access.