Closed ramanbuttar closed 8 years ago
The way the if statements are structured, plaintext check is last so it shouldn't allow the behaviour you mentioned. I included tests to cover such a case as well.
Unfortunately, this is intrinsic knowledge and not captured in the commit as a comment currently. It would be nice to have it in as an option, along with appropriate warnings.
This would also allow logging in with the hashed password which defeats the purpose of hashing passwords.
Plaintext passwords are not something we want to support because of the security concerns you mentioned in #22.