Fix for HTTP Basic Auth when base64 encoded string wraps

When using a token longer than approximately 45 characters, the base64 encoded string passed in the HTTP_AUTHORIZATION header will contain newline characters. The existing implementation used a regex which didn't handle this case correctly.
arunagw · Nov 15, 2010 · 19219cb · 19219cb
1 parent 32c6f7b
commit 19219cb
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/lib/devise/strategies/authenticatable.rb b/lib/devise/strategies/authenticatable.rb
@@ -97,7 +97,7 @@ def valid_password?
       # Helper to decode credentials from HTTP.
       def decode_credentials
         return [] unless request.authorization && request.authorization =~ /^Basic (.*)/
-        ActiveSupport::Base64.decode64($1).split(/:/, 2)
+        ActiveSupport::Base64.decode64(request.authorization.split(' ', 2).last).split(/:/, 2)
       end
 
       # Sets the authentication hash and the password from params_auth_hash or http_auth_hash.

diff --git a/test/integration/http_authenticatable_test.rb b/test/integration/http_authenticatable_test.rb
@@ -47,6 +47,16 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'sign in should authenticate with really long token' do
+    token = "token_containing_so_many_characters_that_the_base64_encoding_will_wrap"
+    user = create_user
+    user.update_attribute :authentication_token, token
+    get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "Basic #{ActiveSupport::Base64.encode64("#{token}:x")}"
+    assert_response :success
+    assert_match "<email>user@test.com</email>", response.body
+    assert warden.authenticated?(:user)
+  end
+
   private
 
     def sign_in_as_new_user_with_http(username="user@test.com", password="123456")