From 1789c92815efa53a3b263f07c819bb6e98be258c Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 26 Feb 2026 01:52:54 -0700 Subject: [PATCH] fix(auth/csvauth): don't allow BOTH username and password to be empty --- auth/csvauth/csvauth.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/auth/csvauth/csvauth.go b/auth/csvauth/csvauth.go index 1bb9986..9e302c2 100644 --- a/auth/csvauth/csvauth.go +++ b/auth/csvauth/csvauth.go @@ -358,6 +358,10 @@ func (a *Auth) gcmDecrypt(aes128key [16]byte, gcmNonce [12]byte, derived []byte) // - the resulting 'user' must match BasicAuthTokenNames ("", "api", and "apikey" are the defaults) // - then the token is (timing-safe) hashed to check if it exists, and then verified by its algorithm func (a *Auth) Authenticate(name, secret string) (*Credential, error) { + if name == "" && secret == "" { + return nil, ErrUnauthorized + } + a.mux.Lock() defer a.mux.Unlock() c, ok := a.credentials[name]