jaredhanson/passport-local

Bug: Password field cannot be empty

relativityboy opened this issue · 0 comments

In some cases users may need to have a password that is ``. passport-local fails with the message Missing credentials in this case.
This error is wrong, as the password property is present on `req.body`

A zero length password can be useful in testing, initial signup on a closed network, etc.

Expected behavior

When the 'username' and 'password' properties are present on req.body the validation function should be called, unless those properties are undefined.

Actual behavior

If req.body.$passwordField is `` the validation function is not called.

Steps to reproduce

Instantiate any app and pass a password of zero-length when logging in.

Slightly contrived example.

passport.use(new LocalStrategy(
  {
    usernameField: 'email',
    passwordField: 'password'
  },
  (email, password, done) => {
  console.log('LocalStrategy', email, password)
  if(email !== 'admin') return done(null, false, { message: 'Incorrect username.' })
  if(password !== '') return done(null, false, { message: 'Password should be empty.' })
}))

Environment

  • Operating System:
  • Node version: 10.x
  • passport version: 0.4.0
  • passport-local version: 1.0.0