Authentication: LocalStrategy authenticates without any given Username #1559
Description
Steps to reproduce
Authenticate using "strategy": "local" without providing anything but a password matching the password of the first user in database.
$ curl 'http://localhost:3030/authentication/' -H 'Content-Type: application/json' --data-binary '{"password": "S0m3Pa22wOrd", "strategy": "local"}' -o - | jq .
{
"accessToken": "eyJhbGciO ... WOSRycz1lJQJNUk285VklI",
"authentication": {
"strategy": "local"
},
"user": {
"id": 1,
"email": "user@e.mail",
"createdAt": "2019-09-12T14:31:03.925Z",
"updatedAt": "2019-09-12T14:31:03.925Z"
}
}Expected behavior
Authentication should not be possible without providing a Username
Actual behavior
If the password compares to the passwordHash of the first User, authentication succeeds
System configuration
Module versions (especially the part that's not working): feathers@4.3.1
NodeJS version: v12.10.0
Operating System: Windows 10
Browser Version: curl 7.50.3 (i686-pc-cygwin) libcurl/7.50.3 OpenSSL/1.0.1g zlib/1.2.7 libidn/1.26 libssh2/1.7.0
React Native Version: -
Module Loader: -