From 8689b48c5572c7a3371fa5026fce69cb9af1a699 Mon Sep 17 00:00:00 2001
From: Julien Fontanet <julien.fontanet@isonoe.net>
Date: Fri, 16 Feb 2018 11:47:01 +0100
Subject: [PATCH] fix(xo-server/authentication): fail fast with empty passwords

There is no reason to attempt authentication with empty passwords, and this work around issues with some LDAP servers which may allow binds with empty passwords.

See xoa-support#469.
---
 packages/xo-server/src/xo-mixins/authentication.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/packages/xo-server/src/xo-mixins/authentication.js b/packages/xo-server/src/xo-mixins/authentication.js
index 9fb206caf..eb60cf762 100644
--- a/packages/xo-server/src/xo-mixins/authentication.js
+++ b/packages/xo-server/src/xo-mixins/authentication.js
@@ -111,6 +111,12 @@ export default class {
   }
 
   async authenticateUser (credentials) {
+    // don't even attempt to authenticate with empty password
+    const { password } = credentials
+    if (password === '') {
+      throw new Error('empty password')
+    }
+
     // TODO: remove when email has been replaced by username.
     if (credentials.email) {
       credentials.username = credentials.email