fix(xo-server/authentication): fail fast with empty passwords

There is no reason to attempt authentication with empty passwords, and this work around issues with some LDAP servers which may allow binds with empty passwords.

See xoa-support#469.

packages/xo-server/src/xo-mixins/authentication.js

@@ -111,6 +111,12 @@ export default class {
   }
 
   async authenticateUser (credentials) {
+    // don't even attempt to authenticate with empty password
+    const { password } = credentials
+    if (password === '') {
+      throw new Error('empty password')
+    }
+
     // TODO: remove when email has been replaced by username.
     if (credentials.email) {
       credentials.username = credentials.email