Problem
In permission.guard.ts, validateBaseSharePasswordToken() compares payload.password === baseShare.password in plaintext. The share password appears stored unhashed, and the JWT carries the plaintext password.
Suggested Fix
- Store share passwords as bcrypt/argon2 hashes
- JWT should only contain
shareId + nonce, not the password
- Validate by hashing user input against stored hash
Found during source code review. v1.10.0
Problem
In
permission.guard.ts,validateBaseSharePasswordToken()comparespayload.password === baseShare.passwordin plaintext. The share password appears stored unhashed, and the JWT carries the plaintext password.Suggested Fix
shareId+ nonce, not the passwordFound during source code review. v1.10.0