Authentication: LocalStrategy authenticates without any given Username

[jalbersdorfer]

Steps to reproduce

Authenticate using "strategy": "local" without providing anything but a password matching the password of the first user in database.

$ curl 'http://localhost:3030/authentication/' -H 'Content-Type: application/json' --data-binary '{"password": "S0m3Pa22wOrd", "strategy": "local"}' -o - | jq .

{
  "accessToken": "eyJhbGciO ... WOSRycz1lJQJNUk285VklI",
  "authentication": {
    "strategy": "local"
  },
  "user": {
    "id": 1,
    "email": "user@e.mail",
    "createdAt": "2019-09-12T14:31:03.925Z",
    "updatedAt": "2019-09-12T14:31:03.925Z"
  }
}

Expected behavior

Authentication should not be possible without providing a Username

Actual behavior

If the password compares to the passwordHash of the first User, authentication succeeds

System configuration

Module versions (especially the part that's not working): feathers@4.3.1

NodeJS version: v12.10.0

Operating System: Windows 10

Browser Version: curl 7.50.3 (i686-pc-cygwin) libcurl/7.50.3 OpenSSL/1.0.1g zlib/1.2.7 libidn/1.26 libssh2/1.7.0

React Native Version: -

Module Loader: -