ether · muxator · Apr 1, 2020 · Mar 15, 2020 · Mar 17, 2020 · Mar 21, 2020
diff --git a/src/node/utils/Settings.js b/src/node/utils/Settings.js
@@ -631,26 +631,50 @@ exports.reloadSettings = function reloadSettings() {
 
   if (exports.users) {
     /*
-     * Prune from export.users any user that has no password attribute, or whose
-     * password attribute is "null".
+     * Each user must have exactly one of ("password", "hash") attributes set,
+     * and its value must be not null.
      *
-     * This is used by the settings.json in the default Dockerfile to eschew
-     * creating an admin user if no password is set.
+     * Prune from export.users any user that does not satisfy this condition,
+     * including the ones that (by chance) have both "password" and "hash" set.
+     *
+     * This mechanism is used by the settings.json in the default Dockerfile to
+     * eschew creating an admin user if no password (or hash) is set.
      */
     var filteredUsers = _.pick(exports.users, function(userProperties, username) {
-      if (userProperties.hasOwnProperty("password") === false) {
-        console.warn(`Removing user "${username}", because it has no "password" field.`);
+      if ((userProperties.hasOwnProperty("password") === false) && (userProperties.hasOwnProperty("hash") === false)) {
+        console.warn(`Removing user "${username}", because it has no "password" or "hash" field.`);
 
         return false;
       }
 
-      if (userProperties.password === null) {
-        console.warn(`Removing user "${username}", because its password is null.`);
+      if (userProperties.hasOwnProperty("password") && userProperties.hasOwnProperty("hash")) {
+        console.warn(`Removing user "${username}", because it has both "password" and "hash" fields set. THIS SHOULD NEVER HAPPEN.`);
+
+        return false;
+      }
+
+      /*
+       * If we arrive here, the user has exactly a password or a hash set.
+       * They may still be null
+       */
+      if (userProperties.hasOwnProperty("password") && (userProperties.password === null)) {
+        console.warn(`Removing user "${username}", because its "password" is null.`);
 
         return false;
       }
 
-      // This user has a password, and its password is not null. Keep it.
+      if (userProperties.hasOwnProperty("hash") && (userProperties.hash === null)) {
+        console.warn(`Removing user "${username}", because its "hash" value is null.`);
+
+        return false;
+      }
+
+      /*
+       * This user has a password, and its password is not null, or it has an
+       * hash, and its hash is not null (not both).
+       *
+       * Keep it.
+       */
       return true;
     });