Do not allow LDAP login with empty password #1345

satterly · 2020-10-24T18:18:08Z

(venv) ➜  python-alerta-client git:(master) http -v :8080/auth/login username=foo password=
POST /auth/login HTTP/1.1
Accept: application/json, */*;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 35
Content-Type: application/json
Host: localhost:8080
User-Agent: HTTPie/2.1.0

{
    "username": "foo",
    "password": ""
}

HTTP/1.0 401 UNAUTHORIZED
Access-Control-Allow-Origin: http://localhost
Content-Length: 131
Content-Type: application/json
Date: Sat, 24 Oct 2020 20:31:10 GMT
Server: Werkzeug/1.0.1 Python/3.7.3
Vary: Origin
X-Request-ID: 06eefaf8-1716-49de-998f-e3c05f59292e

{
    "code": 401,
    "errors": null,
    "message": "password not allowed to be empty",
    "requestId": null,
    "status": "error"
}

Fixes #1277

Do not allow LDAP login with empty password

Do not allow LDAP login with empty password

8407575

satterly force-pushed the fix-ldap-empty-bind branch from 8a41fff to 8407575 Compare October 24, 2020 20:31

Fix type error on Note serialization

7397b21

satterly merged commit 2bfa317 into master Oct 24, 2020

satterly added the security This important issue will not be marked as stale by @probot label Nov 5, 2020

saivarunr pushed a commit to rudderlabs/alerta that referenced this pull request Nov 27, 2021

Merge pull request alerta#1345 from alerta/fix-ldap-empty-bind

9c60a51

Do not allow LDAP login with empty password

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Do not allow LDAP login with empty password #1345

Do not allow LDAP login with empty password #1345

satterly commented Oct 24, 2020 •

edited

Loading

Do not allow LDAP login with empty password #1345

Do not allow LDAP login with empty password #1345

Conversation

satterly commented Oct 24, 2020 • edited Loading

satterly commented Oct 24, 2020 •

edited

Loading