If you can't hang with the mac, don't hmac.

7 years ago · 7a52ba6004
parent b3e2c58bcb
commit 7a52ba6004
1 changed files with 6 additions and 1 deletions
--- a/lib/api.js
+++ b/lib/api.js
@ -435,7 +435,12 @@ app.get('/miner/:address/stats', function (req, res) {

 // Authentication
 app.post('/authenticate', function (req, res) {
-    let hmac = crypto.createHmac('sha256', global.config.api.secKey).update(req.body.password).digest('hex');
+    let hmac;
+    try{
+        hmac = crypto.createHmac('sha256', global.config.api.secKey).update(req.body.password).digest('hex');
+    } catch (e) {
+        return res.status(401).send({'success': false, msg: 'Invalid username/password'});
+    }
    global.mysql.query("SELECT * FROM users WHERE username = ? AND ((pass IS null AND email = ?) OR (pass = ?))", [req.body.username, req.body.password, hmac]).then(function (rows) {
        if (rows.length === 0) {
            return res.status(401).send({'success': false, msg: 'Invalid username/password'});