Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fix parsing of basic auth credentials if the password includes ':'. #331

Closed
wants to merge 2 commits into from

3 participants

@trentm

The current basic auth middleware will incorrect parse "user:password" for if the password includes a colon.

I'd love to see a 1.6.1 with this. :) Thanks.

@tj
Owner
tj commented

if you dont mind adding a test or two as well that would be great!

@trentm

Test case added (and dropped the "throw" I had because it broke existing tests). Apologies for not having run the test suite before.

@tj
Owner
tj commented

one last thing is signing the CLA if you haven't previously http://code.google.com/legal/individual-cla-v1.0.html

then it's good to go!

@trentm

Confused. Why is this a CLA for google? Does Google own the IP for Connect?

@tj
Owner
tj commented

woah, no, haha, my bad wrong link

@trentm

Did you have a link to an appropriate CLA?

@trentm

I signed the CLA a while back. Would it be possible to pull this now? :)

Thanks.

@kof
kof commented

seems to be a duplicate of #682 which is already merged

@tj tj closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 17 additions and 3 deletions.
  1. +8 −1 lib/middleware/basicAuth.js
  2. +9 −2 test/basicAuth.test.js
View
9 lib/middleware/basicAuth.js
@@ -66,7 +66,14 @@ module.exports = function basicAuth(callback, realm) {
var parts = authorization.split(' ')
, scheme = parts[0]
- , credentials = new Buffer(parts[1], 'base64').toString().split(':');
+ , credentialsStr = new Buffer(parts[1], 'base64').toString()
+ , idx = credentialsStr.indexOf(':')
+ , credentials;
+ if (idx === -1) {
+ credentials = [credentialsStr];
+ } else {
+ credentials = [credentialsStr.slice(0, idx), credentialsStr.slice(idx+1)];
+ }
if ('Basic' != scheme) return badRequest(res);
View
11 test/basicAuth.test.js
@@ -11,7 +11,8 @@ var connect = require('connect')
var app = connect(
connect.basicAuth(function(user, pass){
- return 'tj' == user && 'tobi' == pass;
+ return (('tj' == user && 'tobi' == pass)
+ || ('trent' == user && 'my:cat' == pass));
}),
function(req, res){
res.end('wahoo');
@@ -72,6 +73,12 @@ module.exports = {
{ url: '/', headers: { Authorization: 'Basic dGo6dG9iaQ==' }},
{ body: 'wahoo', status: 200 });
},
+
+ 'test authorized with colon in password': function(){
+ assert.response(app,
+ { url: '/', headers: { Authorization: 'Basic dHJlbnQ6bXk6Y2F0' }},
+ { body: 'wahoo', status: 200 });
+ },
'test unauthorized': function(){
assert.response(app,
@@ -102,4 +109,4 @@ module.exports = {
{ url: '/', headers: { Authorization: 'Foo asdfasdf' }},
{ body: 'Bad Request', status: 400 });
},
-};
+};
Something went wrong with that request. Please try again.