In my proposed fix I took the stance that we should always be treating user input as untrusted. Just hash it and move on.
The code that checked if the password was already hash seemed to have been written so that a migration process could use the same API code to move users around.
In my proposed fix I took the stance that we should always be treating user input as untrusted. Just hash it and move on.
The code that checked if the password was already hash seemed to have been written so that a migration process could use the same API code to move users around.