From d3d3303dcbe4d6fd38473d1da4df4990cf8c23d7 Mon Sep 17 00:00:00 2001
From: zhongwencool <zhongwencool@gmail.com>
Date: Thu, 4 Jul 2024 10:14:21 +0800
Subject: [PATCH 1/2] chore: improve auth error for invalid salt/password type

---
 apps/emqx/src/emqx_passwd.erl        |  6 +++++-
 apps/emqx/test/emqx_passwd_SUITE.erl | 16 +++++++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/apps/emqx/src/emqx_passwd.erl b/apps/emqx/src/emqx_passwd.erl
index c243442ba..dc3622411 100644
--- a/apps/emqx/src/emqx_passwd.erl
+++ b/apps/emqx/src/emqx_passwd.erl
@@ -102,7 +102,11 @@ hash({SimpleHash, _Salt, disable}, Password) when is_binary(Password) ->
 hash({SimpleHash, Salt, prefix}, Password) when is_binary(Password), is_binary(Salt) ->
     hash_data(SimpleHash, <<Salt/binary, Password/binary>>);
 hash({SimpleHash, Salt, suffix}, Password) when is_binary(Password), is_binary(Salt) ->
-    hash_data(SimpleHash, <<Password/binary, Salt/binary>>).
+    hash_data(SimpleHash, <<Password/binary, Salt/binary>>);
+hash({_SimpleHash, Salt, _SaltPos}, _Password) when not is_binary(Salt) ->
+    error({salt_not_string, Salt});
+hash({_SimpleHash, _Salt, _SaltPos}, Password) when not is_binary(Password) ->
+    error({password_not_string, Password}).
 
 -spec hash_data(hash_type(), binary()) -> binary().
 hash_data(plain, Data) when is_binary(Data) ->
diff --git a/apps/emqx/test/emqx_passwd_SUITE.erl b/apps/emqx/test/emqx_passwd_SUITE.erl
index fd032bdb1..3078a5805 100644
--- a/apps/emqx/test/emqx_passwd_SUITE.erl
+++ b/apps/emqx/test/emqx_passwd_SUITE.erl
@@ -124,4 +124,18 @@ t_hash(_) ->
     false = emqx_passwd:check_pass({pbkdf2, sha, Pbkdf2Salt, 2, BadDKlen}, Pbkdf2, Password),
 
     %% Invalid derived_length, pbkdf2 fails
-    ?assertException(error, _, emqx_passwd:hash({pbkdf2, sha, Pbkdf2Salt, 2, BadDKlen}, Password)).
+    ?assertException(error, _, emqx_passwd:hash({pbkdf2, sha, Pbkdf2Salt, 2, BadDKlen}, Password)),
+
+    %% invalid salt (not binary)
+    ?assertException(
+        error,
+        {salt_not_string, false},
+        emqx_passwd:hash({sha256, false, suffix}, Password)
+    ),
+
+    %% invalid password (not binary)
+    ?assertException(
+        error,
+        {password_not_string, bad_password_type},
+        emqx_passwd:hash({sha256, Salt, suffix}, bad_password_type)
+    ).

From 755d6c9e0f29fbcfd47b7bc35063314b5de399cc Mon Sep 17 00:00:00 2001
From: zhongwencool <zhongwencool@gmail.com>
Date: Fri, 5 Jul 2024 10:21:04 +0800
Subject: [PATCH 2/2] chore: add changelog for 13398 and 13408

---
 changes/ce/fix-13398.en.md | 1 +
 changes/ce/fix-13408.en.md | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 changes/ce/fix-13398.en.md
 create mode 100644 changes/ce/fix-13408.en.md

diff --git a/changes/ce/fix-13398.en.md b/changes/ce/fix-13398.en.md
new file mode 100644
index 000000000..fb2f891e8
--- /dev/null
+++ b/changes/ce/fix-13398.en.md
@@ -0,0 +1 @@
+Fix acl rule clearing when reloading built-in-database for authorization using command line.
diff --git a/changes/ce/fix-13408.en.md b/changes/ce/fix-13408.en.md
new file mode 100644
index 000000000..e27482d91
--- /dev/null
+++ b/changes/ce/fix-13408.en.md
@@ -0,0 +1 @@
+Fix function_clause crash that occurs when attempting to authenticate with an invalid type of salt or password.