Closed lonix1 closed 5 years ago
lonix1
commented
5 years ago I'm just gonna do it manually. In the authorizer I do
if (!username.trim() || !password.trim()) return callback(null, false);(Would be nice to have this edge case handled by the library though...)
toverux
commented
5 years ago Spaces can be significant. Depends on your use case. I'm not in favor of trimming by default, but that could become an opt-in via an option, I agree :)
lonix1
commented
5 years ago Hmm interesting, though I can't recall encountering usernames or passwords with spaces... Can you think of an example?
I guess it could be a check for "whitespace only" rather than to trim a string and potentially mangle it like you indicated.
So this is bad: ` <-- whitespace only But maybe this is good:jack ` <-- notice trailing spaces (though I've never seen this before)
toverux
commented
5 years ago You're right, this is rare. I think I don't like it because it's against the principle of least astonishment. You don't expect that a library that do authentication will reinterpret your the strings you give to it. That's not its purpose, not its responsibility. An opt-in, or eventually a well-document opt-out, if we decide to trim by default, could somewhat solve that philosophical problem.
I am using a custom
authorizerfunction.What do you guys do when the username / password is missing or whitespace? Does the library handle that case and return 401, or must I do so manually?