Closed lonix1 closed 5 years ago
I'm just gonna do it manually. In the authorizer I do
if (!username.trim() || !password.trim()) return callback(null, false);
(Would be nice to have this edge case handled by the library though...)
Spaces can be significant. Depends on your use case. I'm not in favor of trimming by default, but that could become an opt-in via an option, I agree :)
Hmm interesting, though I can't recall encountering usernames or passwords with spaces... Can you think of an example?
I guess it could be a check for "whitespace only" rather than to trim a string and potentially mangle it like you indicated.
So this is bad: ` <-- whitespace only But maybe this is good:
jack ` <-- notice trailing spaces (though I've never seen this before)
You're right, this is rare. I think I don't like it because it's against the principle of least astonishment. You don't expect that a library that do authentication will reinterpret your the strings you give to it. That's not its purpose, not its responsibility. An opt-in, or eventually a well-document opt-out, if we decide to trim by default, could somewhat solve that philosophical problem.
I am using a custom
authorizer
function.What do you guys do when the username / password is missing or whitespace? Does the library handle that case and return 401, or must I do so manually?