From 2c387351c63cae3434c068b523261f5e89732b1d Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@nebulon.de>
Date: Thu, 11 Aug 2016 14:46:52 +0200
Subject: [PATCH] Deny access for empty password authentication attempts

---
 lib/models/users.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/models/users.js b/lib/models/users.js
index d3e7bf51..10e92784 100644
--- a/lib/models/users.js
+++ b/lib/models/users.js
@@ -116,6 +116,10 @@ module.exports.add = (username, password, email, callback) => {
  */
 module.exports.authenticate = (username, password, callback) => {
 
+    if (password === '') {
+        return callback(null, false);
+    }
+
     let login = (connection, callback) => {
         connection.query('SELECT `id`, `password`, `access_token` FROM `users` WHERE `username`=? OR email=? LIMIT 1', [username, username], (err, rows) => {
             if (err) {