Added passwordRequired to options, defaults to true #31
Conversation
|
@jaredhanson Can this be merged? This would be helpful for my use case as well. |
|
Is this any different than doing: |
|
Yeah. These requests aren't anonymous. They're authenticated using a single API key, instead of a username + password combination. The client sends that key as the username, and a blank password. |
|
@jaredhanson For example, the Stripe API uses the username as the authentication key, and leaves the password blank |
|
Wouldn't that be the point of passport-http-bearer? |
|
Sure, seems like that would be one way to design the API. But basic auth is widely implemented in clients. The spec for http basic doesn't seem to require that the password is non-zero length, so using it in this manner seems reasonable (as well as common). |
|
+1 |
|
Cool. Can't we just always accept empty passwords and pass them back to the |
|
I had backwards compatibility in mind, since some people might be relying on the failure mode for empty passwords. I don't think the change adds too much complexity, but you're right: it's nicer to just accept blank strings. |
|
Wanted to bump this up. @jaredhanson, what do you think? |
|
+1 Also need this to implement a Stripe-like Basic Auth convenience. @jaredhanson can we merge this? Backwards compatibility and the ability to opt-out of having to spend the resources to lookup a user and verify their hashed password might be good reasons to have the optional flag. |
|
@jaredhanson ?... |
|
I also echo the above comments. I think allowing for the password to be optional, which would allow us to mimic a Stripe-style API, would be very helpful. |
|
When is that going to be implemented ? It doesn't seem to be in the version 0.3.0 |
No description provided.