Merge pull request #337 from cemcatik/basic

BasicAuthProvider should check the method is Basic
mohiva · May 5, 2015 · 0eca774 · 0eca774
2 parents 7163750 + 93972d7
commit 0eca774
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/silhouette/app/com/mohiva/play/silhouette/impl/providers/BasicAuthProvider.scala b/silhouette/app/com/mohiva/play/silhouette/impl/providers/BasicAuthProvider.scala
@@ -89,11 +89,12 @@ class BasicAuthProvider(
    */
   def getCredentials(request: RequestHeader): Option[Credentials] = {
     request.headers.get(HeaderNames.AUTHORIZATION) match {
-      case Some(header) => Base64.decode(header.replace("Basic ", "")).split(":") match {
-        case credentials if credentials.length == 2 => Some(Credentials(credentials(0), credentials(1)))
-        case _ => None
-      }
-      case None => None
+      case Some(header) if header.startsWith("Basic ") =>
+        Base64.decode(header.replace("Basic ", "")).split(":") match {
+          case credentials if credentials.length == 2 => Some(Credentials(credentials(0), credentials(1)))
+          case _ => None
+        }
+      case _ => None
     }
   }
 }

diff --git a/silhouette/test/com/mohiva/play/silhouette/impl/providers/BasicAuthProviderSpec.scala b/silhouette/test/com/mohiva/play/silhouette/impl/providers/BasicAuthProviderSpec.scala
@@ -102,6 +102,12 @@ class BasicAuthProviderSpec extends PlaySpecification with Mockito {
       await(provider.authenticate(request)) must beSome(loginInfo)
       there was one(authInfoRepository).update(loginInfo, passwordInfo)
     }
+
+    "return None if Authorization method is not Basic and Base64 decoded header has ':'" in new WithApplication with Context {
+      val request = FakeRequest().withHeaders(AUTHORIZATION -> Base64.encode("NotBasic foo:bar"))
+
+      await(provider.authenticate(request)) must beNone
+    }
   }
 
   /**