From e790f024c2da2b3104ad698abfbd74fdf273bb9f Mon Sep 17 00:00:00 2001
From: Joshua Boniface <joshua@boniface.me>
Date: Wed, 17 Apr 2019 22:31:17 -0400
Subject: [PATCH] Return MethodNotAllowedException if Pw is not set

Don't accept pre-hashed (not-plaintext) passwords as the auth
provider no longer supports this due to sha1+salting the passwords
in the database.
---
 MediaBrowser.Api/UserService.cs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs
index a6849f75f5..0db62098ca 100644
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@@ -379,6 +379,11 @@ namespace MediaBrowser.Api
                 throw new ResourceNotFoundException("User not found");
             }
 
+            if (!request.Pw)
+            {
+                throw new MethodNotAllowedException("Hashed-only passwords are not valid for this API.");
+            }
+
             return Post(new AuthenticateUserByName
             {
                 Username = user.Name,