Authorization tokens force a non-blank username

[Roy-Orbison]

I know APIs exist where the user must be blank and only the password is used to identify and authenticate the user. I would assume that there also exist some that are the converse (empty pass + token in username). Disallowing the empty string seems like an unnecessary restriction, and would be better handled with a warning to confirm upon save.

[frigus02]

Hi. Thanks for opening an issue about this. I agree with you. It's probably best to make both fields optional. We could show a warning, but I'm not even sure if that's necessary.

Do you know how an empty username/password looks like in the header? Are they just treated as empty strings?

• Empty username & password=secret 👉 base64(":secret") 👉 Authorization: Basic OnNlY3JldA==
• Username=user & empty password 👉 base64("user:") 👉 Authorization: Basic dXNlcjo=

[frigus02]

Oh yeah, the empty password case works exactly like that at the moment. So I assume the empty username case will work the same way.

[Roy-Orbison]

Yeah, empty strings. The colon is always included so it can be decoded and tokenised by standard tools.

[frigus02]

I uploaded version 4.4.0, which makes the username optional. Should be available in the next hours. Thanks again for reporting.