fix: disallow usage of default password (#3284)

RSS-Bridge · Mar 6, 2023 · a01c1f6 · a01c1f6
1 parent f0e5ef0
commit a01c1f6
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/config.default.ini.php b/config.default.ini.php
@@ -75,8 +75,8 @@
 
 username = "admin"
 
-; This default password is public knowledge. Replace it.
-password = "7afbf648a369b261"
+; The password cannot be the empty string if authentication is enabled.
+password = ""
 
 ; This will be used only for actions that require privileged access
 access_token = ""

diff --git a/lib/AuthenticationMiddleware.php b/lib/AuthenticationMiddleware.php
@@ -14,6 +14,13 @@
 
 final class AuthenticationMiddleware
 {
+    public function __construct()
+    {
+        if (Configuration::getConfig('authentication', 'password') === '') {
+            throw new \Exception('The authentication password cannot be the empty string');
+        }
+    }
+
     public function __invoke(): void
     {
         $user = $_SERVER['PHP_AUTH_USER'] ?? null;

diff --git a/lib/RssBridge.php b/lib/RssBridge.php
@@ -63,8 +63,8 @@ private function run($request): void
         // Consider: ini_set('error_reporting', E_ALL & ~E_DEPRECATED);
         date_default_timezone_set(Configuration::getConfig('system', 'timezone'));
 
-        $authenticationMiddleware = new AuthenticationMiddleware();
         if (Configuration::getConfig('authentication', 'enable')) {
+            $authenticationMiddleware = new AuthenticationMiddleware();
             $authenticationMiddleware();
         }