From 0c55c6475701b66c28c245483aeaf4d0179a3cca Mon Sep 17 00:00:00 2001
From: lhchavez <lhchavez@lhchavez.com>
Date: Thu, 11 Mar 2021 05:38:13 -0800
Subject: [PATCH 1/1] Normalize the credentials presence check

Most places that check for the presence / absence of credentials compare
them against `undefined`, except the one for Plain authentication.

This change makes the very last place to use the same pattern (instead
of checking for falsiness) for consistency. Additionally, there are ways
to configure PAM to accept empty passwords, so it's possible for a user
to legitimately send an empty string as password.
---
 core/rfb.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/rfb.js b/core/rfb.js
index e3786cb..05a5979 100644
--- a/core/rfb.js
+++ b/core/rfb.js
@@ -1427,8 +1427,8 @@ export default class RFB extends EventTargetMixin {
 
         // negotiated Plain subtype, server waits for password
         if (this._rfbVeNCryptState == 4) {
-            if (!this._rfbCredentials.username ||
-                !this._rfbCredentials.password) {
+            if (this._rfbCredentials.username === undefined ||
+                this._rfbCredentials.password === undefined) {
                 this.dispatchEvent(new CustomEvent(
                     "credentialsrequired",
                     { detail: { types: ["username", "password"] } }));
-- 
2.39.2