From 3e45f5af41af3b454df93d754a75fde429348638 Mon Sep 17 00:00:00 2001
From: Chester Sng <chester_nutty@hotmail.com>
Date: Fri, 22 Mar 2019 19:30:00 +0800
Subject: [PATCH] Add check for the existence of user's password before
 attempting to authenticate

---
 website/server/controllers/api-v3/auth.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/website/server/controllers/api-v3/auth.js b/website/server/controllers/api-v3/auth.js
index 37d7f7e451..84c5485fe6 100644
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@@ -98,6 +98,9 @@ api.loginLocal = {
     // load the entire user because we may have to save it to convert the password to bcrypt
     let user = await User.findOne(login).exec();
 
+    // if user is using social login, then user will not have a hashed_password stored
+    if (!user.auth.local.hashed_password) throw new NotAuthorized(res.t('invalidLoginCredentialsLong'));
+
     let isValidPassword;
 
     if (!user) {