From eceb0ac2af47a021a94d176b8a1682b812786921 Mon Sep 17 00:00:00 2001
From: Eric Anderson <eric.eanderson@gmail.com>
Date: Mon, 5 Sep 2016 12:36:30 -0500
Subject: [PATCH] fix(auth) blank password results in inability to authenticate

Found myself in a vicious loop if I failed to type in a password when prompted in Chrome. Every refresh of the page would fall into the criton check with a blank password. Seems Chrome wouldn't clear the headers until I closed the browser and/or switched to a new incognito tab. Probably a user error, but still, this avoided the criton throw.
---
 lib/server/auth.js | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/server/auth.js b/lib/server/auth.js
index ef7b2c43..1f3fe357 100644
--- a/lib/server/auth.js
+++ b/lib/server/auth.js
@@ -29,14 +29,18 @@
     }
     
     function check(username, password, callback) {
-        var sameName,
+        var BAD_CREDENTIALS = false,
+            sameName,
             samePass,
             name    = config('username'),
             pass    = config('password'),
             algo    = config('algo');
         
-        sameName    = username === name;
-        samePass    = pass === criton(password, algo);
+        if (!password)
+            return callback(BAD_CREDENTIALS);
+        
+        sameName = username === name;
+        samePass = pass === criton(password, algo);
         
         callback(sameName && samePass);
     }