Do not allow to sign in using blank username or blank password

AD allows bind with with correct username and empty password so application will think user successfully authenticated which is a serious mistake

Do not allow to sign in using blank username or blank password
987a81f7 · Dmitriy Dzema · df7a8d04 · 987a81f7
Commit 987a81f7 authored 12 years ago by Dmitriy Dzema
--- a/lib/omniauth/strategies/ldap.rb
+++ b/lib/omniauth/strategies/ldap.rb
@@ -37,7 +37,7 @@ module OmniAuth
      def callback_phase
        @adaptor = OmniAuth::LDAP::Adaptor.new @options
  
-        return fail!(:missing_credentials) if request['username'].nil? || request['password'].nil?
+        return fail!(:missing_credentials) if missing_credentials?
        begin
          @ldap_user_info = @adaptor.bind_as(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @options[:name_proc].call(request['username'])),:size => 1, :password => request['password'])
          return fail!(:invalid_credentials) if !@ldap_user_info
@@ -80,6 +80,12 @@ module OmniAuth
        end
        user
      end
+
+      protected
+
+      def missing_credentials?
+        request['username'].nil? or request['username'].empty? or request['password'].nil? or request['password'].empty?
+      end # missing_credentials?
    end
  end
 end