movableink · mnutt · Mar 12, 2020 · Mar 12, 2020
diff --git a/config/domains/default.js.example b/config/domains/default.js.example
@@ -55,6 +55,8 @@ module.exports = {
     // Simple password login, make sure you choose a very secure password.
     // password: {
     //  token: "YOUR-PASSWORD" // any user that knows this can log in
+    //     -- or --
+    //  tokens: ["ONE-PASSWORD", "ANOTHER-PASSWORD"] // either of these can be used
     // },
 
     // Register a new oauth app on Google Apps at

diff --git a/lib/proxy_domain.js b/lib/proxy_domain.js
@@ -131,11 +131,9 @@ class ProxyDomain {
     passport.use(
       `${this.options.domain}-local`,
       new LocalStrategy({ tokenField: "password" }, function(token, cb) {
-        if (
-          config.token &&
-          config.token.length === token.length &&
-          safeCompare(config.token, token)
-        ) {
+        const tokens = config.token ? [config.token] : config.tokens || [];
+
+        if (tokens.find(t => t.length && t.length == token.length && safeCompare(t, token))) {
           log.info("Authenticated with password login");
           return cb(null, { password: { authenticated: true } });
         } else {