Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Allow colons in passwords for req.auth

Passwords in basic auth can contain colons (as per RFC2617), while
usernames cannot, so assume everything after the colon is a password.
This makes req.auth return the correct value if the user uses a colon
in his password.
  • Loading branch information...
commit 17bf04d1efeab0f220ad59fc0467bb3816f8c4b5 1 parent 3ab3021
@gmethvin gmethvin authored
Showing with 33 additions and 2 deletions.
  1. +3 −2 lib/request.js
  2. +30 −0 test/req.auth.js
View
5 lib/request.js
@@ -393,8 +393,9 @@ req.__defineGetter__('auth', function(){
auth = parts[1];
// credentials
- auth = new Buffer(auth, 'base64').toString().split(':');
- return { username: auth[0], password: auth[1] };
+ auth = new Buffer(auth, 'base64').toString().match(/^([^:]*):(.*)$/);
+ if (!auth) return;
+ return { username: auth[1], password: auth[2] };
});
/**
View
30 test/req.auth.js
@@ -48,6 +48,36 @@ describe('req', function(){
})
})
+ describe('when encoded string is malformed', function(){
+ it('should return undefined', function(done){
+ var app = express();
+
+ app.get('/', function(req, res){
+ res.send(req.auth || 'none');
+ });
+
+ request(app)
+ .get('/')
+ .set('Authorization', 'Basic Z21ldGh2aW4=')
+ .expect('none', done)
+ })
+ })
+
+ describe('when password contains a colon', function(){
+ it('should return .username and .password', function(done){
+ var app = express();
+
+ app.get('/', function(req, res){
+ res.send(req.auth || 'none');
+ });
+
+ request(app)
+ .get('/')
+ .set('Authorization', 'Basic dG9iaTpmZXJyZXQ6ZmVycmV0')
+ .expect('{"username":"tobi","password":"ferret:ferret"}', done)
+ })
+ })
+
it('should return .username and .password', function(done){
var app = express();
Please sign in to comment.
Something went wrong with that request. Please try again.