Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error in basic-auth authorization #2986

Closed
nico-acidtango opened this issue Oct 26, 2017 · 5 comments
Closed

Error in basic-auth authorization #2986

nico-acidtango opened this issue Oct 26, 2017 · 5 comments
Labels
good first issue Issues that beginners/volunteers can easily help with. task/bug

Comments

@nico-acidtango
Copy link
Contributor

nico-acidtango commented Oct 26, 2017
edited

Summary

Error creating and using credentials in basic-auth with passwords that contain ':' characters.

Assumptions and general info

  • Kong version 0.11.0
  • Assume we have a consumer with consumer-id 060be9b3-cc9d-4e74-9d39-ff227581a20b

Steps To Reproduce

  1. Create a credential with password containing ':'
$ curl -X POST http://kong:8001/consumers/060be9b3-cc9d-4e74-9d39-ff227581a20b/basic-auth \
    --data "username=test" \
    --data "password=s43_Pos:bwUV5E"
  1. Try to use it in an api, proxying to httpbin
curl --user test http://localhost:8080/test
  1. Check user is not authenticated in the response. In my case, it is sent with anonymous headers.

Additional Details & Logs

The problem as far as I could see browsing the code is that the authorization header is being split using ':' and only the first two part are used (first part is considered user, and second part is the password) effectively discarding parts of the password.

kong/kong/plugins/basic-auth/access.lua

Line 42 in 777b667

local basic_parts = utils.split(decoded_basic, ":")

@thibaultcha
Copy link
Member

Hi @nico-acidtango ! Thank you for the report. We would welcome a PR to fix this, if you are willing to give it a stab!

@thibaultcha thibaultcha added the good first issue Issues that beginners/volunteers can easily help with. label Nov 2, 2017
@nico-acidtango
Copy link
Contributor Author

Hi @thibaultcha ! I think I can handle it, and I'm happy to help. I'll get to it as soon as possible.

@nico-acidtango nico-acidtango mentioned this issue Nov 5, 2017
Closed
@chenyukang
Copy link
Contributor

chenyukang commented Nov 5, 2017
edited

Nice work!
I also have a question for basic-auth,
how to specify the username for basic-auth?
Suppose i have tow consumers, and generate basic auth key separately with:

user1 -> password1
user2 -> password2

now when enable the basic-auth for an API, since there is no options to specify username,
both user1 and user2 with correct password will processed successfully.

@thibaultcha

@chenyukang
Copy link
Contributor

@nico-acidtango
you said: 'Password containing '%'' is not processed correctly,
but PR is fix ':', did I miss something?

@nico-acidtango
Copy link
Contributor Author

@chenyukang you are right, I forgot to mention that the password containing '%' part was my mistake for not url encoding that part of the password when making the request, I found out writing the tests...

I'll edit the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Issues that beginners/volunteers can easily help with. task/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(basic-auth) accept passwords containing ':'
4 participants
@kikito @chenyukang @thibaultcha @nico-acidtango