Skip to content
This repository
Browse code

Ensure that the basic auth middleware correctly parses passwords cont…

…aining `:`.

According to section 2 of RFC 2617, a password may contain any token, including
`:`.
  • Loading branch information...
commit a580a9d771a7429975d69246de2f9c17a52fa5bd 1 parent 088d867
Kit Cambridge authored
10  lib/middleware/basicAuth.js
@@ -72,11 +72,13 @@ module.exports = function basicAuth(callback, realm) {
72 72
     if (parts.length !== 2) return next(utils.error(400));
73 73
 
74 74
     var scheme = parts[0]
75  
-      , credentials = new Buffer(parts[1], 'base64').toString().split(':')
76  
-      , user = credentials[0]
77  
-      , pass = credentials[1];
  75
+      , credentials = new Buffer(parts[1], 'base64').toString()
  76
+      , index = credentials.indexOf(':');
78 77
 
79  
-    if ('Basic' != scheme) return next(utils.error(400));
  78
+    if ('Basic' != scheme || index < 0) return next(utils.error(400));
  79
+    
  80
+    var user = credentials.slice(0, index)
  81
+      , pass = credentials.slice(index + 1);
80 82
 
81 83
     // async
82 84
     if (callback.length >= 3) {
8  test/basicAuth.js
@@ -19,7 +19,7 @@ function test(app, signature) {
19 19
       it('should next()', function(done){
20 20
         app.request()
21 21
         .get('/')
22  
-        .set('Authorization', 'Basic dGo6dG9iaQ==')
  22
+        .set('Authorization', 'Basic dGo6dG9iaTpsZWFybmJvb3N0')
23 23
         .end(function(res){
24 24
           res.statusCode.should.equal(200);
25 25
           res.body.should.equal('secret!');
@@ -72,7 +72,7 @@ function test(app, signature) {
72 72
 
73 73
 var app = connect();
74 74
 
75  
-app.use(connect.basicAuth('tj', 'tobi'));
  75
+app.use(connect.basicAuth('tj', 'tobi:learnboost'));
76 76
 
77 77
 app.use(function(req, res, next){
78 78
   req.user.should.equal('tj');
@@ -86,7 +86,7 @@ test(app, 'connect.basicAuth(user, pass)');
86 86
 var app = connect();
87 87
 
88 88
 app.use(connect.basicAuth(function(user, pass){
89  
-  return 'tj' == user && 'tobi' == pass;
  89
+  return 'tj' == user && 'tobi:learnboost' == pass;
90 90
 }));
91 91
 
92 92
 app.use(function(req, res, next){
@@ -101,7 +101,7 @@ test(app, 'connect.basicAuth(callback)');
101 101
 var app = connect();
102 102
 
103 103
 app.use(connect.basicAuth(function(user, pass, fn){
104  
-  var ok = 'tj' == user && 'tobi' == pass;
  104
+  var ok = 'tj' == user && 'tobi:learnboost' == pass;
105 105
   fn(null, ok
106 106
     ? { name: 'tj' }
107 107
     : null);

0 notes on commit a580a9d

Please sign in to comment.
Something went wrong with that request. Please try again.