Authorization tokens force a non-blank username

Question

Authorization tokens force a non-blank username

Closed this issue 4 years ago · 4 comments

I know APIs exist where the user must be blank and only the password is used to identify and authenticate the user. I would assume that there also exist some that are the converse (empty pass + token in username). Disallowing the empty string seems like an unnecessary restriction, and would be better handled with a warning to confirm upon save.

Answer 1 · 2021-03-01T17:45:34.000Z

Hi. Thanks for opening an issue about this. I agree with you. It's probably best to make both fields optional. We could show a warning, but I'm not even sure if that's necessary.

Do you know how an empty username/password looks like in the header? Are they just treated as empty strings?

Empty username & password=secret 👉 base64(":secret") 👉 Authorization: Basic OnNlY3JldA==
Username=user & empty password 👉 base64("user:") 👉 Authorization: Basic dXNlcjo=

Answer 2 · 2021-03-01T17:47:54.000Z

Oh yeah, the empty password case works exactly like that at the moment. So I assume the empty username case will work the same way.

Answer 3 · 2021-03-01T20:02:08.000Z

Yeah, empty strings. The colon is always included so it can be decoded and tokenised by standard tools.

Answer 4 · 2021-03-05T09:05:48.000Z

I uploaded version 4.4.0, which makes the username optional. Should be available in the next hours. Thanks again for reporting.