Authentication: Empty credentials return 500 instead of 401

[stanleykc]

Description

When attempting to authenticate with empty username or empty password, the API returns HTTP 500 INTERNAL_SERVER_ERROR instead of HTTP 401 UNAUTHORIZED.

Current Behavior

• Empty password with valid username → 500 Internal Server Error
• Empty username with valid password → 500 Internal Server Error

Expected Behavior

Both scenarios should return 401 Unauthorized with CREDENTIALS_DO_NOT_MATCH reason, consistent with other authentication failure cases.

Security Implications

• Information Disclosure: Returning 500 vs 401 reveals that empty credentials are handled differently, which could be useful for attackers
• Security Best Practice: Authentication failures should always return the same error code to prevent credential enumeration

Affected Component

• UnityAuthenticationProvider.java - The validate() method doesn't handle null/empty credentials gracefully

Reproduction

// Empty password
UsernamePasswordCredentials creds = new UsernamePasswordCredentials("person1@test.io", "");
// Returns 500 INTERNAL_SERVER_ERROR

// Empty username  
UsernamePasswordCredentials creds = new UsernamePasswordCredentials("", "test");
// Returns 500 INTERNAL_SERVER_ERROR

Suggested Fix

Add validation in UnityAuthenticationProvider.authenticate() to check for null/empty credentials before processing:

if (authenticationRequest.getIdentity() == null || 
    authenticationRequest.getIdentity().toString().isEmpty() ||
    authenticationRequest.getSecret() == null || 
    authenticationRequest.getSecret().toString().isEmpty()) {
    return Mono.just(AuthenticationResponse.failure(CREDENTIALS_DO_NOT_MATCH.toString()));
}

Related Tests

Test cases documenting this behavior:

• UnityAuthenticationProviderTest.login_failsWithEmptyPassword()
• UnityAuthenticationProviderTest.login_failsWithEmptyUsername()