From 2533a8cdb316dc9e31ff416af4e37a95f5fbf86e Mon Sep 17 00:00:00 2001
From: Wissam Abirached <w.abirached@gmail.com>
Date: Fri, 17 Mar 2017 18:57:21 -0400
Subject: [PATCH] Do not create user if username or password is empty (#3650)

---
 spec/ParseServerRESTController.spec.js | 24 ++++++++++++++++++++++++
 src/RestWrite.js                       |  4 ++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/spec/ParseServerRESTController.spec.js b/spec/ParseServerRESTController.spec.js
index ffbfa040..06d5999a 100644
--- a/spec/ParseServerRESTController.spec.js
+++ b/spec/ParseServerRESTController.spec.js
@@ -1,5 +1,7 @@
 const ParseServerRESTController = require('../src/ParseServerRESTController').ParseServerRESTController;
 const ParseServer = require('../src/ParseServer').default;
+const Parse = require('parse/node').Parse;
+
 let RESTController;
 
 describe('ParseServerRESTController', () => {
@@ -103,6 +105,28 @@ describe('ParseServerRESTController', () => {
     });
   });
 
+  it('ensures no user is created when passing an empty username', (done) => {
+    RESTController.request("POST", "/classes/_User", {username: "", password: "world"}).then(() => {
+      jfail(new Error('Success callback should not be called when passing an empty username.'));
+      done();
+    }, (err) => {
+      expect(err.code).toBe(Parse.Error.USERNAME_MISSING);
+      expect(err.message).toBe('bad or missing username');
+      done();
+    });
+  });
+
+  it('ensures no user is created when passing an empty password', (done) => {
+    RESTController.request("POST", "/classes/_User", {username: "hello", password: ""}).then(() => {
+      jfail(new Error('Success callback should not be called when passing an empty password.'));
+      done();
+    }, (err) => {
+      expect(err.code).toBe(Parse.Error.PASSWORD_MISSING);
+      expect(err.message).toBe('password is required');
+      done();
+    });
+  });
+
   it('ensures no session token is created on creating users', (done) => {
     RESTController.request("POST", "/classes/_User", {username: "hello", password: "world"}).then((user) => {
       expect(user.sessionToken).toBeUndefined();
diff --git a/src/RestWrite.js b/src/RestWrite.js
index 43738ae3..0cdc88bc 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -204,11 +204,11 @@ RestWrite.prototype.validateAuthData = function() {
   }
 
   if (!this.query && !this.data.authData) {
-    if (typeof this.data.username !== 'string') {
+    if (typeof this.data.username !== 'string' || _.isEmpty(this.data.username)) {
       throw new Parse.Error(Parse.Error.USERNAME_MISSING,
                             'bad or missing username');
     }
-    if (typeof this.data.password !== 'string') {
+    if (typeof this.data.password !== 'string' || _.isEmpty(this.data.password)) {
       throw new Parse.Error(Parse.Error.PASSWORD_MISSING,
                             'password is required');
     }