From 2a124a3d471be293fc547d8d6fd44b0114413149 Mon Sep 17 00:00:00 2001
From: Bernd Bestel <bernd@berrnd.de>
Date: Tue, 13 Jan 2026 21:02:30 +0100
Subject: [PATCH] Check for empty usernames in ReverseProxyAuthMiddleware
 (references #2843)

---
 middleware/ReverseProxyAuthMiddleware.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/ReverseProxyAuthMiddleware.php b/middleware/ReverseProxyAuthMiddleware.php
index 952cbce0..18f491af 100644
--- a/middleware/ReverseProxyAuthMiddleware.php
+++ b/middleware/ReverseProxyAuthMiddleware.php
@@ -40,7 +40,7 @@ class ReverseProxyAuthMiddleware extends AuthMiddleware
 		else
 		{
 			$username = $request->getHeader(GROCY_REVERSE_PROXY_AUTH_HEADER);
-			if (count($username) !== 1)
+			if (count($username) !== 1 || (count($username) === 1 && strlen($username[0]) === 0))
 			{
 				// Invalid configuration of Proxy
 				throw new \Exception('ReverseProxyAuthMiddleware: ' . GROCY_REVERSE_PROXY_AUTH_HEADER . ' header is missing or invalid');