From 065331c77fc4e55853833bf5964c29b866eaa40d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f@miniflux.net>
Date: Sun, 27 Sep 2020 13:18:51 -0700
Subject: [PATCH] api: avoid database lookup if empty credentials are provided

---
 api/middleware.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/api/middleware.go b/api/middleware.go
index 1ddc08e0..23017863 100644
--- a/api/middleware.go
+++ b/api/middleware.go
@@ -89,6 +89,12 @@ func (m *middleware) basicAuth(next http.Handler) http.Handler {
 			return
 		}
 
+		if username == "" || password == "" {
+			logger.Error("[API][BasicAuth] [ClientIP=%s] Empty username or password", clientIP)
+			json.Unauthorized(w, r)
+			return
+		}
+
 		if err := m.store.CheckPassword(username, password); err != nil {
 			logger.Error("[API][BasicAuth] [ClientIP=%s] Invalid username or password: %s", clientIP, username)
 			json.Unauthorized(w, r)
-- 
GitLab