Username not accounted for #8

merged 2 commits into from Jan 25, 2012


None yet
2 participants

strager commented Jan 25, 2012

When using the basic authentication method, the username seems to be ignored.

(Whitespace added for readability.)

http-auth$ node examples/example.js &
Server running at

http-auth$ curl -u mia:supergirl http://localhost:1337/
Welcome to private area!

http-auth$ curl -u mia:upergirl http://localhost:1337/
<!DOCTYPE html>
<html><head><title>401 Unauthorized</title></head><body><h1>401 Unauthorized</h1><p>This page requires authorization.</p></body></html>

http-auth$ curl -u mi:supergirl http://localhost:1337/
Welcome to private area!

strager added some commits Jan 25, 2012

@strager strager Add failing test (security problem!) regarding username lookup
If a client requests authentication with a good password (but not a good
username), authentication should *not* be successful.
@strager strager Fix failing unit tests: test-basic/testIsAuthenticatedFalseSamePassword 623b312

@gevorg gevorg added a commit that referenced this pull request Jan 25, 2012

@gevorg gevorg Merge pull request #8 from strager/fix-no-username-check
Username not accounted for

@gevorg gevorg merged commit 01601a3 into http-auth:master Jan 25, 2012


gevorg commented Jan 25, 2012

Thanks for fixing!


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment