Ensure that the basic auth middleware correctly parses passwords cont…

…aining `:`. According to section 2 of RFC 2617, a password may contain any token, including `:`.
senchalabs · Nov 2, 2012 · a580a9d · a580a9d
1 parent 088d867
commit a580a9d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/lib/middleware/basicAuth.js b/lib/middleware/basicAuth.js
@@ -72,11 +72,13 @@ module.exports = function basicAuth(callback, realm) {
     if (parts.length !== 2) return next(utils.error(400));
 
     var scheme = parts[0]
-      , credentials = new Buffer(parts[1], 'base64').toString().split(':')
-      , user = credentials[0]
-      , pass = credentials[1];
+      , credentials = new Buffer(parts[1], 'base64').toString()
+      , index = credentials.indexOf(':');
 
-    if ('Basic' != scheme) return next(utils.error(400));
+    if ('Basic' != scheme || index < 0) return next(utils.error(400));
+
+    var user = credentials.slice(0, index)
+      , pass = credentials.slice(index + 1);
 
     // async
     if (callback.length >= 3) {

diff --git a/test/basicAuth.js b/test/basicAuth.js
@@ -19,7 +19,7 @@ function test(app, signature) {
       it('should next()', function(done){
         app.request()
         .get('/')
-        .set('Authorization', 'Basic dGo6dG9iaQ==')
+        .set('Authorization', 'Basic dGo6dG9iaTpsZWFybmJvb3N0')
         .end(function(res){
           res.statusCode.should.equal(200);
           res.body.should.equal('secret!');
@@ -72,7 +72,7 @@ function test(app, signature) {
 
 var app = connect();
 
-app.use(connect.basicAuth('tj', 'tobi'));
+app.use(connect.basicAuth('tj', 'tobi:learnboost'));
 
 app.use(function(req, res, next){
   req.user.should.equal('tj');
@@ -86,7 +86,7 @@ test(app, 'connect.basicAuth(user, pass)');
 var app = connect();
 
 app.use(connect.basicAuth(function(user, pass){
-  return 'tj' == user && 'tobi' == pass;
+  return 'tj' == user && 'tobi:learnboost' == pass;
 }));
 
 app.use(function(req, res, next){
@@ -101,7 +101,7 @@ test(app, 'connect.basicAuth(callback)');
 var app = connect();
 
 app.use(connect.basicAuth(function(user, pass, fn){
-  var ok = 'tj' == user && 'tobi' == pass;
+  var ok = 'tj' == user && 'tobi:learnboost' == pass;
   fn(null, ok
     ? { name: 'tj' }
     : null);