From d075b6dfd30eddc44668b10c96d051234f4c50d3 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Fri, 18 Jul 2014 16:35:39 -0700
Subject: [PATCH] Consider empty passwords to be a user error

Programming errors like "the code doesn't try to provide a password"
should throw, but user errors like "the code pulled a password from an
input but it was empty" should use the callback.

Fixes #2272.
---
 packages/accounts-password/package.js         |  2 +-
 packages/accounts-password/password_client.js | 23 +++++++++++++++----
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/packages/accounts-password/package.js b/packages/accounts-password/package.js
index 95f5804885..de2fdcd18d 100644
--- a/packages/accounts-password/package.js
+++ b/packages/accounts-password/package.js
@@ -10,7 +10,7 @@ Package.on_use(function(api) {
   api.use('sha', ['client', 'server']);
   api.use('email', ['server']);
   api.use('random', ['server']);
-  api.use('check', ['server']);
+  api.use('check');
   api.use('underscore');
   api.use('livedata', ['client', 'server']);
 
diff --git a/packages/accounts-password/password_client.js b/packages/accounts-password/password_client.js
index 3767a86bb7..cf510d2a5a 100644
--- a/packages/accounts-password/password_client.js
+++ b/packages/accounts-password/password_client.js
@@ -89,8 +89,12 @@ var srpUpgradePath = function (options, callback) {
 Accounts.createUser = function (options, callback) {
   options = _.clone(options); // we'll be modifying options
 
-  if (!options.password)
+  if (typeof options.password !== 'string')
     throw new Error("Must set options.password");
+  if (!options.password) {
+    callback(new Meteor.Error(400, "Password may not be empty"));
+    return;
+  }
 
   // Replace password with the hashed password.
   options.password = hashPassword(options.password);
@@ -117,6 +121,12 @@ Accounts.changePassword = function (oldPassword, newPassword, callback) {
     return;
   }
 
+  check(newPassword, String);
+  if (!newPassword) {
+    callback(new Meteor.Error(400, "Password may not be empty"));
+    return;
+  }
+
   Accounts.connection.apply(
     'changePassword',
     [oldPassword ? hashPassword(oldPassword) : null, hashPassword(newPassword)],
@@ -171,10 +181,13 @@ Accounts.forgotPassword = function(options, callback) {
 // @param newPassword {String}
 // @param callback (optional) {Function(error|undefined)}
 Accounts.resetPassword = function(token, newPassword, callback) {
-  if (!token)
-    throw new Error("Need to pass token");
-  if (!newPassword)
-    throw new Error("Need to pass newPassword");
+  check(token, String);
+  check(newPassword, String);
+
+  if (!newPassword) {
+    callback(new Meteor.Error(400, "Password may not be empty"));
+    return;
+  }
 
   Accounts.callLoginMethod({
     methodName: 'resetPassword',