[BUG] authenticated-user-header broken for unauthenticated requests

[otaconix]

Describe the bug

The authenticated-user-header authentication works correctly when the specified header is present, but it does not when it isn't.

Expected behavior

A GET to https://tiddlywiki.example.com/status should return a JSON object containing:

{
  "username": "",
  "anonymous": true
}

Instead, I'm getting:

{
  "username": "undefined",
  "anonymous": false
}

To Reproduce

1. Run the server like so:

tiddlywiki /tiddlers-dir --listen host=0.0.0.0:8080 "readers=(anon)" "writers=(authenticated)" authenticated-user-header=some-header

2. Perform an unauthenticated request:

curl http://localhost:8080/status

Screenshots

No response

TiddlyWiki Configuration

• Version: 5.3.3
• Saving mechanism: Node.js
• Plugins installed: none

Desktop:

• OS: macOS, Linux
• Browser: Firefox, Chrome, Safari

Additional context

Just to explain my use-case: I host a single instance of the tiddlywiki server, and I expose it through two different hostnames. Through one of these hostnames, the header containing the current username is set, not so through the other one. This allows me to present a read-only version to the public, while requiring authentication for myself when I want to edit my wiki.

What seems to be happening is that authenticated-user-header URI-decodes the header value, which happens to be undefined when the header is absent from the request. This decoding happens by (indirectly) calling decodeURIComponent(), and node's implementation returns "undefined" when the input is undefined (which appears to be conforming to the ECMAScript spec^1,2).

Changing authenticateRequest in header.js to the following seems to fix my problem:

HeaderAuthenticator.prototype.authenticateRequest = function(request,response,state) {                                                                                                                                                                            
        // Otherwise, authenticate as the username in the specified header                                                                                                                                                                                        
        var username = request.headers[this.header];                                                                                                                                                                                                              
        if(!username && !state.allowAnon) {                                                                                                                                                                                                                       
                response.writeHead(401,"Authorization header required to login to '" + state.server.servername + "'");                                                                                                                                            
                response.end();                                                                                                                                                                                                                                   
                return false;                                                                                                                                                                                                                                     
        }                                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                  
        if (username) {                                                                                                                                                                                                                                           
                // authenticatedUsername will be undefined for anonymous users                                                                                                                                                                                    
                state.authenticatedUsername = $tw.utils.decodeURIComponentSafe(username);                                                                                                                                                                         
        }                                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                  
        return true;                                                                                                                                                                                                                                              
};

[Jermolene]

Thank you @otaconix, and apologies for the delay. I think your diagnosis is correct, and I have committed the fix in 2d5b935