search

jaredhanson / passport-local

Username and password authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-local/?utm_source=github&utm_medium=referral&utm_campaign=passport-local&utm_content=about
MIT License
2.73k stars 498 forks source link

Bug: Password field cannot be empty #180

Open relativityboy opened 5 years ago

relativityboy commented 5 years ago

In some cases users may need to have a password that is `. *passport-local* fails with the messageMissing credentialsin this case. This error is wrong, as the password property is present onreq.body`

A zero length password can be useful in testing, initial signup on a closed network, etc.

Expected behavior

When the 'username' and 'password' properties are present on req.body the validation function should be called, unless those properties are undefined.

Actual behavior

If req.body.$passwordField is `` the validation function is not called.

Steps to reproduce

Instantiate any app and pass a password of zero-length when logging in.

Slightly contrived example.

passport.use(new LocalStrategy(
  {
    usernameField: 'email',
    passwordField: 'password'
  },
  (email, password, done) => {
  console.log('LocalStrategy', email, password)
  if(email !== 'admin') return done(null, false, { message: 'Incorrect username.' })
  if(password !== '') return done(null, false, { message: 'Password should be empty.' })
}))

Environment