Do not create user if username or password is empty (#3650)

imwiss · flovilmart · commit 2533a8cdb316 · 2017-03-17T18:57:21.000-04:00
diff --git a/spec/ParseServerRESTController.spec.js b/spec/ParseServerRESTController.spec.js
@@ -1,5 +1,7 @@
 const ParseServerRESTController = require('../src/ParseServerRESTController').ParseServerRESTController;
 const ParseServer = require('../src/ParseServer').default;
+const Parse = require('parse/node').Parse;
+
 let RESTController;
 
 describe('ParseServerRESTController', () => {
@@ -103,6 +105,28 @@ describe('ParseServerRESTController', () => {
     });
   });
 
+  it('ensures no user is created when passing an empty username', (done) => {
+    RESTController.request("POST", "/classes/_User", {username: "", password: "world"}).then(() => {
+      jfail(new Error('Success callback should not be called when passing an empty username.'));
+      done();
+    }, (err) => {
+      expect(err.code).toBe(Parse.Error.USERNAME_MISSING);
+      expect(err.message).toBe('bad or missing username');
+      done();
+    });
+  });
+
+  it('ensures no user is created when passing an empty password', (done) => {
+    RESTController.request("POST", "/classes/_User", {username: "hello", password: ""}).then(() => {
+      jfail(new Error('Success callback should not be called when passing an empty password.'));
+      done();
+    }, (err) => {
+      expect(err.code).toBe(Parse.Error.PASSWORD_MISSING);
+      expect(err.message).toBe('password is required');
+      done();
+    });
+  });
+
   it('ensures no session token is created on creating users', (done) => {
     RESTController.request("POST", "/classes/_User", {username: "hello", password: "world"}).then((user) => {
       expect(user.sessionToken).toBeUndefined();
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -204,11 +204,11 @@ RestWrite.prototype.validateAuthData = function() {
   }
 
   if (!this.query && !this.data.authData) {
-    if (typeof this.data.username !== 'string') {
+    if (typeof this.data.username !== 'string' || _.isEmpty(this.data.username)) {
       throw new Parse.Error(Parse.Error.USERNAME_MISSING,
                             'bad or missing username');
     }
-    if (typeof this.data.password !== 'string') {
+    if (typeof this.data.password !== 'string' || _.isEmpty(this.data.password)) {
       throw new Parse.Error(Parse.Error.PASSWORD_MISSING,
                             'password is required');
     }

Original file line number	Diff line number	Diff line change
`@@ -204,11 +204,11 @@ RestWrite.prototype.validateAuthData = function() {`
`204`	`204`	`}`
`205`	`205`
`206`	`206`	`if (!this.query && !this.data.authData) {`
`207`		`- if (typeof this.data.username !== 'string') {`
	`207`	`+ if (typeof this.data.username !== 'string' \|\| _.isEmpty(this.data.username)) {`
`208`	`208`	`throw new Parse.Error(Parse.Error.USERNAME_MISSING,`
`209`	`209`	`'bad or missing username');`
`210`	`210`	`}`
`211`		`- if (typeof this.data.password !== 'string') {`
	`211`	`+ if (typeof this.data.password !== 'string' \|\| _.isEmpty(this.data.password)) {`
`212`	`212`	`throw new Parse.Error(Parse.Error.PASSWORD_MISSING,`
`213`	`213`	`'password is required');`
`214`	`214`	`}`