GHSA-p44q-vqpr-4xmg

## Summary

In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the `token` argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.

## Notes

- This issue applies only to token authentication - This issue applies only when the application verifies tokens by searching for them in a user database. - This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to `NULL` instead. - Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue. - Basic and Digest authentication are not affected by this issue.

## Remediation

To protect against this issue, developers should make sure that no user in the user database has their `token` set to an empty string. If there are such users, change the value of those tokens to `NULL` instead.

Alternatively, developers can upgrade their projects to `Flask-HTTPAuth>=4.8.1`, which fixes this issue.