Ran into an issue when testing my site with the Digest strategy and using an empty username. It seems that if you put in an empty string for the username then the passport module will return a 400 instead of a 401. From the digest auth spec it appears an empty username is valid and 401 should be returned. This change may seems minor but the 400 really screws up the auth caching in browsers and other HTTP stacks. In Chrome, after the 400, your credentials are now cached and it won't prompt for another user/pass until the cache is cleared (browser restart).

I suggest removing the check for a valid username in digest.js

digest.js:111 - digest:113

/*
if (!creds.username) {
return this.fail(400);
}
*/


Thanks

Agreed. Do you have time to add a test case for empty usernames and remove that check? If so I'll get a pull request merged in soon. Otherwise I'll make the modifications, but I can't promise a timeframe.

Jared,
Any chance you could my pull request merged in? Bug is fixed, tested, and I wrote the proper test cases to test for empty username. Builds are passing. Thanks for your time.

Closed by mistake. I will close after the pull.

Merged both, with modifications and additional tests. Everything should check out, so I published to npm as passport-http v0.2.2. Let me know if any other changes are needed. Thanks!