From e620e2c282dbeb1fc152bd3bba00336df2440403 Mon Sep 17 00:00:00 2001
From: Xiao <xyk.kong@gmail.com>
Date: Tue, 2 Jan 2024 22:35:41 -0300
Subject: [PATCH] Fixed error on start up when password is numeric closes:
 TryGhost/Ghost#16918 and TryGhost/Ghost#18968

- converted password to String before updating Hash
- added test case to cover it
---
 ghost/security/lib/tokens.js       |  2 +-
 ghost/security/test/tokens.test.js | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ghost/security/lib/tokens.js b/ghost/security/lib/tokens.js
index 9614d06fe0..a0d31de2bf 100644
--- a/ghost/security/lib/tokens.js
+++ b/ghost/security/lib/tokens.js
@@ -45,7 +45,7 @@ module.exports.resetToken = {
 
         hash.update(String(expires));
         hash.update(email.toLocaleLowerCase());
-        hash.update(password);
+        hash.update(String(password));
         hash.update(String(dbHash));
 
         text += [expires, email, hash.digest('base64')].join('|');
diff --git a/ghost/security/test/tokens.test.js b/ghost/security/test/tokens.test.js
index adfbf01287..515e41b38f 100644
--- a/ghost/security/test/tokens.test.js
+++ b/ghost/security/test/tokens.test.js
@@ -20,6 +20,22 @@ describe('Utils: tokens', function () {
         token.length.should.be.above(0);
     });
 
+    it('generate allow numeric password', function () {
+        const expires = Date.now() + 60 * 1000;
+        const dbHash = uuid.v4();
+        let token;
+
+        token = security.tokens.resetToken.generateHash({
+            email: 'test1@ghost.org',
+            expires: expires,
+            password: 123456,
+            dbHash: dbHash
+        });
+
+        should.exist(token);
+        token.length.should.be.above(0);
+    });
+
     it('compare: success', function () {
         const expires = Date.now() + 60 * 1000;
         const dbHash = uuid.v4();