Use &[u8]::get() instead of &[u8]::index() to avoid panic in basic auth

[bheylin]

I experienced a panic in production code at authorization:l159 for headers v 0.4.1.
I don't have logs of the actual header yet, but I know that the header value was length 3.

I propose returning a None if the prefix strip doesn't succeed.

[seanmonstar]

This should probably be fine, but I went to look, and the decode implementation for Authorization<C> should already make sure the bytes were long enough for the scheme... Were you using Credentials separate from the Authorization type?

[bheylin]

The code that led to the panic is calling the Credentials::decode impl on headers::authorization::Basic directly, without any Authorization wrapper. So that explains why the panic occurred in this case.

Based on the code I read in Authorization::decode, I presume that you don't expect Basic::decode to be called directly from user code?

fn extract_auth_values(req: &mut axum::Request) -> Result<(uuid::Uuid, ApiPlainSecret), StatusCode> {
    let auth_header = req
        .headers()
        .get(http::header::AUTHORIZATION)
        .ok_or_else(|| {
            debug!("Authorization header not found");
            StatusCode::UNAUTHORIZED
        })?;

    let Some(auth) = headers::authorization::Basic::decode(auth_header) else {
        debug!("Failed to decode auth headers");
        return Err(StatusCode::UNAUTHORIZED);
    };
    
    let plain_secret = ApiPlainSecret::new(auth.password().to_owned());
    Ok((public_id, plain_secret))
}

[seanmonstar]

Ah very interesting. Yea, I never originally meant for it to be used separately, but I didn't really prepare that or document or anything. Again, seems fine to fix that up. :)