What happens when session_auth_hash is empty?

[askasp]

I want to migrate to axum-login, however my users does not have access_tokens stored at this time.
I see in the multiAuth example that you return &[] if its no access_token og passwords. Is this secure to do for the users that does not yet have an access_token stored? What are the security ramifications of returning &[] here?

Adding the referred code as a snippet!

fn session_auth_hash(&self) -> &[u8] {
        if let Some(access_token) = &self.access_token {
            return access_token.as_bytes();
        }

        if let Some(password) = &self.password {
            return password.as_bytes();
        }

        &[]
    }```

[maxcountryman]

I see in the multiAuth example that you return &[] if its no access_token og passwords

In the multi-auth example, that's an unreachable branch (users always have passwords).

For clarity, it would probably be better to update the example to panic instead of returning an empty array (which only there to satisfy the compiler).

For security reasons, you should never use an empty array as the auth hash value.

[askasp]

Thanks :)