fix: disallow usage of default password (#3284)

config.default.ini.php

@@ -75,8 +75,8 @@ enable = false
 
 username = "admin"
 
-; This default password is public knowledge. Replace it.
-password = "7afbf648a369b261"
+; The password cannot be the empty string if authentication is enabled.
+password = ""
 
 ; This will be used only for actions that require privileged access
 access_token = ""

lib/AuthenticationMiddleware.php

@@ -14,6 +14,13 @@
 
 final class AuthenticationMiddleware
 {
+    public function __construct()
+    {
+        if (Configuration::getConfig('authentication', 'password') === '') {
+            throw new \Exception('The authentication password cannot be the empty string');
+        }
+    }
+
     public function __invoke(): void
     {
         $user = $_SERVER['PHP_AUTH_USER'] ?? null;

lib/RssBridge.php

@@ -63,8 +63,8 @@ final class RssBridge
         // Consider: ini_set('error_reporting', E_ALL & ~E_DEPRECATED);
         date_default_timezone_set(Configuration::getConfig('system', 'timezone'));
 
-        $authenticationMiddleware = new AuthenticationMiddleware();
         if (Configuration::getConfig('authentication', 'enable')) {
+            $authenticationMiddleware = new AuthenticationMiddleware();
             $authenticationMiddleware();
         }