From 70645846baf3aa9ecb7f6f49de143a4282128a73 Mon Sep 17 00:00:00 2001
From: Justin Wind <justin.wind+git@gmail.com>
Date: Mon, 6 Jun 2022 11:21:38 -0700
Subject: [PATCH] handle undefined credential more gracefully

---
 lib/authenticator.js      | 6 +++++-
 test/lib/authenticator.js | 6 ++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/authenticator.js b/lib/authenticator.js
index 0c0c349..4449a94 100644
--- a/lib/authenticator.js
+++ b/lib/authenticator.js
@@ -66,10 +66,14 @@ class Authenticator {
    */
   async isValidIdentifierCredential(identifier, credential, ctx) {
     const _scope = _fileScope('isValidIdentifierCredential');
-    this.logger.debug(_scope, 'called', { identifier, credential: '*'.repeat(credential.length), ctx });
+    this.logger.debug(_scope, 'called', { identifier, credential: '*'.repeat((credential || '').length), ctx });
 
     let isValid = false;
 
+    if (typeof credential === 'undefined') {
+      return isValid;
+    }
+
     await this.db.context(async (dbCtx) => {
       const authData = await this.db.authenticationGet(dbCtx, identifier);
       if (!authData) {
diff --git a/test/lib/authenticator.js b/test/lib/authenticator.js
index 22fc9d2..5da6439 100644
--- a/test/lib/authenticator.js
+++ b/test/lib/authenticator.js
@@ -117,6 +117,12 @@ describe('Authenticator', function () {
       assert.strictEqual(result, false);
       assert.strictEqual(ctx.authenticationId, undefined);
     });
+    it('covers non-string credential', async function () {
+      credential = '$argon2id$v=19$m=4096,t=3,p=1$SbAlHo5x2HM0PvMAWYHqww$gNn/o+B6+IWsnrVupPkTAiiK9tvwV+eM/HoXG41bnzM';
+      const result = await authenticator.isValidIdentifierCredential(identifier, undefined, ctx);
+      assert.strictEqual(result, false);
+      assert.strictEqual(ctx.authenticationId, undefined);
+    });
     it('covers unknown password hash', async function () {
       authenticator.db.authenticationGet.resolves({
         identifier,
-- 
2.43.2