I encountered this as well: there's no documentation as to what auth string should be accepted in the case of no user.

It's probably best to require rpcuser and rpcpassword in future versions is my two cents. This is generally what's expected from an HTTP Auth anyway.