fix: disallow usage of default password (#3284)

3 files changed, 10 insertions, 3 deletions

diff --git a/config.default.ini.php b/config.default.ini.php
index 17bfc702..2432d784 100644
--- a/config.default.ini.php
+++ b/config.default.ini.php
@@ -75,8 +75,8 @@ enable = false
 
 username = "admin"
 
-; This default password is public knowledge. Replace it.
-password = "7afbf648a369b261"
+; The password cannot be the empty string if authentication is enabled.
+password = ""
 
 ; This will be used only for actions that require privileged access
 access_token = ""
diff --git a/lib/AuthenticationMiddleware.php b/lib/AuthenticationMiddleware.php
index 4c554a42..c77e1b91 100644
--- a/lib/AuthenticationMiddleware.php
+++ b/lib/AuthenticationMiddleware.php
@@ -14,6 +14,13 @@
 
 final class AuthenticationMiddleware
 {
+    public function __construct()
+    {
+        if (Configuration::getConfig('authentication', 'password') === '') {
+            throw new \Exception('The authentication password cannot be the empty string');
+        }
+    }
+
     public function __invoke(): void
     {
         $user = $_SERVER['PHP_AUTH_USER'] ?? null;
diff --git a/lib/RssBridge.php b/lib/RssBridge.php
index 7e79a423..ce895bf2 100644
--- a/lib/RssBridge.php
+++ b/lib/RssBridge.php
@@ -63,8 +63,8 @@ final class RssBridge
         // Consider: ini_set('error_reporting', E_ALL & ~E_DEPRECATED);
         date_default_timezone_set(Configuration::getConfig('system', 'timezone'));
 
-        $authenticationMiddleware = new AuthenticationMiddleware();
         if (Configuration::getConfig('authentication', 'enable')) {
+            $authenticationMiddleware = new AuthenticationMiddleware();
             $authenticationMiddleware();
         }