Username not accounted for #8

Merged
merged 2 commits into from Jan 25, 2012

Conversation

Projects
None yet
2 participants
Contributor

strager commented Jan 25, 2012

When using the basic authentication method, the username seems to be ignored.

(Whitespace added for readability.)

http-auth$ node examples/example.js &
Server running at http://127.0.0.1:1337/

http-auth$ curl -u mia:supergirl http://localhost:1337/
Welcome to private area!

http-auth$ curl -u mia:upergirl http://localhost:1337/
<!DOCTYPE html>
<html><head><title>401 Unauthorized</title></head><body><h1>401 Unauthorized</h1><p>This page requires authorization.</p></body></html>

http-auth$ curl -u mi:supergirl http://localhost:1337/
Welcome to private area!

strager added some commits Jan 25, 2012

@strager strager Add failing test (security problem!) regarding username lookup
If a client requests authentication with a good password (but not a good
username), authentication should *not* be successful.
7d084ef
@strager strager Fix failing unit tests: test-basic/testIsAuthenticatedFalseSamePassword 623b312

@gevorg gevorg added a commit that referenced this pull request Jan 25, 2012

@gevorg gevorg Merge pull request #8 from strager/fix-no-username-check
Username not accounted for
01601a3

@gevorg gevorg merged commit 01601a3 into http-auth:master Jan 25, 2012

Owner

gevorg commented Jan 25, 2012

Thanks for fixing!

Gevorg.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment