Open brianjlowe opened 1 year ago
At first glance it looks like this may have been introduced back when the password hashing was changed to Argon2. In this particular controller, the check for an un-upgraded account with obsolete MD5 hash may be occurring in the wrong place.
Describe the bug AdminLoginController -- a special login controller not linked from the UI for bypassing SSO -- tries to retrieve a user account object and then attempts to use the object before checking whether null was returned. A client started receiving emails with the NPE when something attempted to post to this controller with invalid credentials.
To Reproduce Steps to reproduce the behavior:
Expected behavior Incorrect username/password message should be displayed.
Additional context The call to .getAccountForInternalAuth() on line 97 returns null if account doesn't exist. The call to md5HashIsNull() on line 144 passes the null pointer to the BasicAuthenticator, which then throws the NPE.