Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Allow colons in passwords for req.auth #1462

Merged
merged 1 commit into from

2 participants

@gmethvin

Passwords in basic auth can contain colons (as per RFC2617), while
usernames cannot, so assume everything after the colon is a password.
This makes req.auth return the correct value if the user uses a colon
in his password.

@gmethvin gmethvin Allow colons in passwords for req.auth
Passwords in basic auth can contain colons (as per RFC2617), while
usernames cannot, so assume everything after the colon is a password.
This makes req.auth return the correct value if the user uses a colon
in his password.
17bf04d
@tj tj merged commit 480d006 into from
@tj tj commented on the diff
lib/request.js
@@ -393,8 +393,9 @@ req.__defineGetter__('auth', function(){
auth = parts[1];
// credentials
- auth = new Buffer(auth, 'base64').toString().split(':');
- return { username: auth[0], password: auth[1] };
@tj
tj added a note

might be more elegant to just do auth.shift() and auth.join(':') there

@tj
tj added a note

meh whatever it's all good haha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 6, 2013
  1. @gmethvin

    Allow colons in passwords for req.auth

    gmethvin authored
    Passwords in basic auth can contain colons (as per RFC2617), while
    usernames cannot, so assume everything after the colon is a password.
    This makes req.auth return the correct value if the user uses a colon
    in his password.
This page is out of date. Refresh to see the latest.
Showing with 33 additions and 2 deletions.
  1. +3 −2 lib/request.js
  2. +30 −0 test/req.auth.js
View
5 lib/request.js
@@ -393,8 +393,9 @@ req.__defineGetter__('auth', function(){
auth = parts[1];
// credentials
- auth = new Buffer(auth, 'base64').toString().split(':');
- return { username: auth[0], password: auth[1] };
@tj
tj added a note

might be more elegant to just do auth.shift() and auth.join(':') there

@tj
tj added a note

meh whatever it's all good haha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ auth = new Buffer(auth, 'base64').toString().match(/^([^:]*):(.*)$/);
+ if (!auth) return;
+ return { username: auth[1], password: auth[2] };
});
/**
View
30 test/req.auth.js
@@ -48,6 +48,36 @@ describe('req', function(){
})
})
+ describe('when encoded string is malformed', function(){
+ it('should return undefined', function(done){
+ var app = express();
+
+ app.get('/', function(req, res){
+ res.send(req.auth || 'none');
+ });
+
+ request(app)
+ .get('/')
+ .set('Authorization', 'Basic Z21ldGh2aW4=')
+ .expect('none', done)
+ })
+ })
+
+ describe('when password contains a colon', function(){
+ it('should return .username and .password', function(done){
+ var app = express();
+
+ app.get('/', function(req, res){
+ res.send(req.auth || 'none');
+ });
+
+ request(app)
+ .get('/')
+ .set('Authorization', 'Basic dG9iaTpmZXJyZXQ6ZmVycmV0')
+ .expect('{"username":"tobi","password":"ferret:ferret"}', done)
+ })
+ })
+
it('should return .username and .password', function(done){
var app = express();
Something went wrong with that request. Please try again.