fix(sspi): only add password and domain if they are provided

Users on windows may want to use their local account for authentication, bypassing the need to send a password. In these cases the password must be null, but we were sending a single byte, null-terminated string here because of the use of `std::string`. NODE-1479
mongodb-js · Oct 30, 2018 · bc48814 · bc48814
1 parent 187aab7
commit bc48814
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/win32/kerberos_sspi.cc b/src/win32/kerberos_sspi.cc
@@ -71,10 +71,16 @@ auth_sspi_client_init(WCHAR* service,
     if (*user) {
         authIdentity.User = (unsigned short*)user;
         authIdentity.UserLength = ulen;
-        authIdentity.Password = (unsigned short*)password;
-        authIdentity.PasswordLength = plen;
-        authIdentity.Domain = (unsigned short*)domain;
-        authIdentity.DomainLength = dlen;
+
+        if (*password) {
+            authIdentity.Password = (unsigned short*)password;
+            authIdentity.PasswordLength = plen;
+        }
+
+        if (*domain) {
+            authIdentity.Domain = (unsigned short*)domain;
+            authIdentity.DomainLength = dlen;
+        }
 
         authIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
     }