1 files changed, 19 insertions, 29 deletions

diff --git a/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs b/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
index 6a78e7ee6..cb2d09a67 100644
--- a/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
+++ b/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
@@ -1,9 +1,7 @@
 using System;
-using System.Linq;
-using System.Text;
+using System.Diagnostics.CodeAnalysis;
 using System.Threading.Tasks;
 using Jellyfin.Data.Entities;
-using MediaBrowser.Common.Cryptography;
 using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Model.Cryptography;
 
@@ -42,14 +40,18 @@ namespace Jellyfin.Server.Implementations.Users
 
         /// <inheritdoc />
         // This is the version that we need to use for local users. Because reasons.
-        public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
+        public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User? resolvedUser)
         {
-            if (resolvedUser == null)
+            [DoesNotReturn]
+            static void ThrowAuthenticationException()
             {
-                throw new AuthenticationException("Specified user does not exist.");
+                throw new AuthenticationException("Invalid username or password");
             }
 
-            bool success = false;
+            if (resolvedUser is null)
+            {
+                ThrowAuthenticationException();
+            }
 
             // As long as jellyfin supports password-less users, we need this little block here to accommodate
             if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
@@ -61,33 +63,21 @@ namespace Jellyfin.Server.Implementations.Users
             }
 
             // Handle the case when the stored password is null, but the user tried to login with a password
-            if (resolvedUser.Password != null)
+            if (resolvedUser.Password is null)
             {
-                byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
+                ThrowAuthenticationException();
+            }
 
-                PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
-                if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id)
-                    || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
-                {
-                    byte[] calculatedHash = _cryptographyProvider.ComputeHash(
-                        readyHash.Id,
-                        passwordBytes,
-                        readyHash.Salt.ToArray());
-
-                    if (readyHash.Hash.SequenceEqual(calculatedHash))
-                    {
-                        success = true;
-                    }
-                }
-                else
-                {
-                    throw new AuthenticationException($"Requested crypto method not available in provider: {readyHash.Id}");
-                }
+            PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
+            if (!_cryptographyProvider.Verify(readyHash, password))
+            {
+                ThrowAuthenticationException();
             }
 
-            if (!success)
+            // Migrate old hashes to the new default
+            if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal))
             {
-                throw new AuthenticationException("Invalid username or password");
+                ChangePassword(resolvedUser, password);
             }
 
             return Task.FromResult(new ProviderAuthenticationResult