3 files changed, 31 insertions, 1 deletions

diff --git a/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs b/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
index e8d47cad5..831391cee 100644
--- a/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
+++ b/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
@@ -203,6 +203,7 @@ namespace Emby.Server.Implementations.HttpServer
                 case DirectoryNotFoundException _:
                 case FileNotFoundException _:
                 case ResourceNotFoundException _: return 404;
+                case MethodNotAllowedException _: return 405;
                 case RemoteServiceUnavailableException _: return 502;
                 default: return 500;
             }
diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs
index a6849f75f..497800d26 100644
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@@ -379,10 +379,15 @@ namespace MediaBrowser.Api
                 throw new ResourceNotFoundException("User not found");
             }
 
+            if (!string.IsNullOrEmpty(request.Password) && string.IsNullOrEmpty(request.Pw))
+            {
+                throw new MethodNotAllowedException("Hashed-only passwords are not valid for this API.");
+            }
+
             return Post(new AuthenticateUserByName
             {
                 Username = user.Name,
-                Password = request.Password,
+                Password = null, // This should always be null
                 Pw = request.Pw
             });
         }
diff --git a/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs b/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs
index f62c65fd7..9f70ae7d8 100644
--- a/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs
+++ b/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs
@@ -26,6 +26,30 @@ namespace MediaBrowser.Common.Extensions
         }
     }
 
+    /// <summary>
+    /// Class MethodNotAllowedException
+    /// </summary>
+    public class MethodNotAllowedException : Exception
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="MethodNotAllowedException" /> class.
+        /// </summary>
+        public MethodNotAllowedException()
+        {
+
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="MethodNotAllowedException" /> class.
+        /// </summary>
+        /// <param name="message">The message.</param>
+        public MethodNotAllowedException(string message)
+            : base(message)
+        {
+
+        }
+    }
+
     public class RemoteServiceUnavailableException : Exception
     {
         public RemoteServiceUnavailableException()