Redis ACL - Initial Login as the Default User if nopass set, Even with Default User Turned Off.

When you set the default user to off, if you have nopass set for the default users passwords you are still initially authenticated as the default user without requiring authentication. However, if you set a password for the default user it appears like off is enforced.

I'm not sure if this is by design and maybe something that will be covered in documentation, but if the default user is turned off shouldn't you require authentication before being logged in as a user?

What are your thoughts here @antirez?

Example Below:

127.0.0.1:6379> acl list
1) "user admin on #5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 ~* +@all"
2) "user default off nopass ~* +@all"
127.0.0.1:6379> acl whoami
"admin"
127.0.0.1:6379> exit
Jamies-MacBook-Pro:~ jamie$ redis-cli
127.0.0.1:6379> acl whoami
"default"
127.0.0.1:6379> set foo bar
OK
127.0.0.1:6379> acl setuser default >password
OK
127.0.0.1:6379> acl list
1) "user admin on #5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 ~* +@all"
2) "user default off #5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 ~* +@all"
127.0.0.1:6379> exit
Jamies-MacBook-Pro:~ jamie$ redis-cli
127.0.0.1:6379> acl whoami
(error) NOAUTH Authentication required.
127.0.0.1:6379> set foo bar
(error) NOAUTH Authentication required.
127.0.0.1:6379> auth default password
(error) WRONGPASS invalid username-password pair

Comment From: antirez

This was a bug indeed @IAmATeaPot418, thank you. Fixed and regression test added.