From fff1aa06f641366cc660825dadf92274666dcbb2 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Tue, 29 Apr 2025 12:16:51 +0200
Subject: [PATCH 1/2] Introduce ApiUser#hashed_password

---
 CMakeLists.txt         |  3 +++
 lib/remote/apiuser.cpp | 26 ++++++++++++++++++++++----
 lib/remote/apiuser.ti  |  1 +
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 86abc77d6..314e5e7fc 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -232,6 +232,9 @@ endif()
 
 if(WIN32)
   list(APPEND base_DEPS ws2_32 dbghelp shlwapi msi)
+else()
+  find_library(CRYPT_LIBRARIES NAMES crypt)
+  list(APPEND base_DEPS ${CRYPT_LIBRARIES})
 endif()
 
 set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_RPATH};${CMAKE_INSTALL_FULL_LIBDIR}/icinga2")
diff --git a/lib/remote/apiuser.cpp b/lib/remote/apiuser.cpp
index 6c4da89aa..fd5025809 100644
--- a/lib/remote/apiuser.cpp
+++ b/lib/remote/apiuser.cpp
@@ -6,6 +6,11 @@
 #include "base/base64.hpp"
 #include "base/tlsutility.hpp"
 #include "base/utility.hpp"
+#include <mutex>
+
+#ifndef _WIN32
+#	include <unistd.h>
+#endif /* _WIN32 */
 
 using namespace icinga;
 
@@ -45,10 +50,23 @@ ApiUser::Ptr ApiUser::GetByAuthHeader(const String& auth_header)
 	 * 2) given password is empty
 	 * 2) configured password does not match.
 	 */
-	if (!user || password.IsEmpty())
-		return nullptr;
-	else if (user && !Utility::ComparePasswords(password, user->GetPassword()))
+	if (!user) {
 		return nullptr;
+	}
 
-	return user;
+#ifndef _WIN32
+	auto hash (user->GetHashedPassword());
+
+	if (!hash.IsEmpty()) {
+		static std::mutex mtx;
+		std::unique_lock lock (mtx);
+
+		auto hashed (crypt(password.CStr(), hash.CStr()));
+		return hashed == hash ? user : nullptr;
+	}
+#endif /* _WIN32 */
+
+	auto plain (user->GetPassword());
+
+	return !plain.IsEmpty() && Utility::ComparePasswords(password, plain) ? user : nullptr;
 }
diff --git a/lib/remote/apiuser.ti b/lib/remote/apiuser.ti
index 0b49a1dd3..4d07c4e69 100644
--- a/lib/remote/apiuser.ti
+++ b/lib/remote/apiuser.ti
@@ -12,6 +12,7 @@ class ApiUser : ConfigObject
 {
 	/* No show config */
 	[config, no_user_view] String password;
+	[no_user_view, no_user_modify] String hashed_password;
 	[deprecated, config, no_user_view] String password_hash;
 	[config] String client_cn (ClientCN);
 	[config] array(Value) permissions;

From e1754a3cefa4a068426937392beb3215477910ed Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Tue, 29 Apr 2025 12:19:43 +0200
Subject: [PATCH 2/2] Deprecate ApiUser#password

---
 lib/remote/apiuser.ti | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/remote/apiuser.ti b/lib/remote/apiuser.ti
index 4d07c4e69..2e1cfc1c1 100644
--- a/lib/remote/apiuser.ti
+++ b/lib/remote/apiuser.ti
@@ -11,7 +11,7 @@ namespace icinga
 class ApiUser : ConfigObject
 {
 	/* No show config */
-	[config, no_user_view] String password;
+	[deprecated, config, no_user_view] String password;
 	[no_user_view, no_user_modify] String hashed_password;
 	[deprecated, config, no_user_view] String password_hash;
 	[config] String client_cn (ClientCN);