From 24459d852ec9b15e3202b969cd51b2d26591840e Mon Sep 17 00:00:00 2001
From: Minh Ha <mihado@minh.im>
Date: Wed, 30 Mar 2022 05:37:38 +1300
Subject: [PATCH] fix: comparing hashed password with plain text password
 during password grant (#627)

* fix: use object.CheckPassword for password grant

* Apply suggestions from code review

fix: remove log per change request
---
 object/token.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/object/token.go b/object/token.go
index 38c76a28..45150f76 100644
--- a/object/token.go
+++ b/object/token.go
@@ -522,7 +522,8 @@ func GetPasswordToken(application *Application, username string, password string
 	if user == nil {
 		return nil, errors.New("error: the user does not exist")
 	}
-	if user.Password != password {
+	msg := CheckPassword(user, password)
+	if msg != "" {
 		return nil, errors.New("error: invalid username or password")
 	}
 	if user.IsForbidden {