Fix code err code 401 when the password is empty in base_auth. #958
Conversation
|
@CncGpp, thanks for the pull request, but it looks dangerous to accept blank password... RFC 7613 4.1 says:
As you mentioned in #650, I made a change to allow username to be blank, since it looks a pretty common practice by popular servers. But I am not sure that the same thing can apply to password. Please give me more information why you really need it, or what servers are really allowing it. Thanks! |
|
I'm using cpp-httplib to implement a basic client for ArangoDB (HTTP API), the DB password can be empty. |
|
@PixlRainbow, what do you think about this pull request? |
|
I've looked into it; this should handle the case where a password needs to be sent that is blank. However, I found that certain servers may need the password field to be not present (not sent at all). But if your use case only requires the first case, then OK. I would recommend however to use XOR instead of OR since we might not want to send basic auth header if both username and password are unset. |
|
@CncGpp, could you respond the comment from @PixlRainbow? |
|
Sorry for the delay, wouldn't using XOR break the case where both userand pass are set? I think the OR is fine, when they are both empty it does not enter the if. |
|
ahh my bad, I had mistaken the conditions backwards :D |
|
Thanks for the replies. I just merged it. Thanks for the contribution! |
Fix: When setting the base_auth with a non-empty username and an empty password no auth is insert in the header.
The problem is similar to #650 but for the password.