search

jaredhanson / passport-local

Username and password authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-local/?utm_source=github&utm_medium=referral&utm_campaign=passport-local&utm_content=about
MIT License
2.74k stars 498 forks source link

Support "empty string" password? #86

Closed jacargentina closed 9 years ago

jacargentina commented 10 years ago

I dont know if this is on purpose

https://github.com/jaredhanson/passport-local/blob/master/lib/strategy.js#L72

With that, when i try to auth with JSON body { "username": "myuser", password: "" }, i get the later error, because "" || null, returns null.

nikolaybobrovskiy commented 10 years ago

Also would an option to allow empty password.

GochoMugo commented 9 years ago

:+1: It should be left to the application to handle any kind of passwords a user might pass, be it a 100-character string or just a "" (empty string), don't you think?

jaredhanson commented 9 years ago

For security reasons, an empty password is considered a missing credential. This is by design, and considered a security feature.

casperlamboo commented 7 years ago

@jaredhanson would you allow for a pull request where allowEmptyPassword is set through an option? This option is (ofcourse) set to false by default.

jaredhanson commented 7 years ago

What would be the point of this option? If the password is empty, no authentication is possible. Why would an application allow that?

Sent from my iPhone

On Oct 26, 2017, at 4:07 AM, Casper Lamboo notifications@github.com wrote:

@jaredhanson would you allow for a pull request where allowEmptyPassword is set through an option. This option is (ofcourse) set to false by default.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

casperlamboo commented 7 years ago

This would allow for logging in with an empty string as password. I some cases this is very useful. I understand this is a security risk, but in my case this I find the benefits to be outweighing the risk so I want to be able to make the conscious decision to provide empty strings as passwords. Cleary this is a feature that is desired by at least 4 people.

The use case I'm referring to is an admin panel where user accounts can be created. These user accounts will have an empty string as password when created. When logging in for the first time users can just provide their email as login credentials. After logging in the users will be prompted to provide a secure password which must be verified via email.

jaredhanson commented 7 years ago

This is not authentication, so no, I will not accept a PR with this functionality.

You are free to fork this module, and implement and maintain the functionality if you need it.

Sent from my iPhone

On Oct 26, 2017, at 5:19 AM, Casper Lamboo notifications@github.com wrote:

This would allow for logging in with an empty string as password. I some cases this is very useful. I understand this is a security risk, but in my case this I find the benefits to be outweighing the risk so I want to be able to make the conscious decision to provide empty strings as passwords. Cleary this is a feature that is desired by at least 4 people.

The use case I'm referring to is an admin panel where user accounts can be created. These user accounts won't have a password. When logging in for the first time users can just provide their email. After logging in the users will be prompted to provide a secure password which must be verified via email.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.