don't allow empty credentials

closes #4

Author: svenluijten

src/SuperBasicAuth.php

@@ -3,20 +3,23 @@
 namespace Sven\SuperBasicAuth;
 
 use Closure;
+use Illuminate\Http\Request;
 
 class SuperBasicAuth
 {
     /**
      * Handle an incoming request.
      *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
+     * @param  \Illuminate\Http\Request $request
+     * @param  \Closure                 $next
      *
      * @return mixed
      */
     public function handle($request, Closure $next)
     {
-        if ($request->getUser() === config('auth.basic.user') &&
+        if (
+            !$this->emptyCredentials($request) &&
+            $request->getUser() === config('auth.basic.user') &&
             $request->getPassword() === config('auth.basic.password')
         ) {
             return $next($request);
@@ -26,4 +29,14 @@ public function handle($request, Closure $next)
             'WWW-Authenticate' => 'Basic',
         ]);
     }
+
+    /**
+     * @param \Illuminate\Http\Request $request
+     *
+     * @return bool
+     */
+    public function emptyCredentials(Request $request): bool
+    {
+        return $request->getUser() === null && $request->getPassword() === null;
+    }
 }

tests/SuperBasicAuthTest.php

@@ -65,4 +65,20 @@ public function it_authenticates_a_user_by_correct_username_and_password()
             ->assertStatus(200)
             ->assertSee('admin');
     }
+
+    /** @test */
+    public function it_denies_entry_when_username_or_password_are_null()
+    {
+        app('config')->set('auth.basic.user', null);
+        app('config')->set('auth.basic.password', null);
+
+        $headers = [
+            'PHP_AUTH_USER' => null,
+            'PHP_AUTH_PW' => null,
+        ];
+
+        $this->get('/admin', $headers)
+            ->assertStatus(401)
+            ->assertHeader('WWW-Authenticate', 'Basic');
+    }
 }