Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require Colon in Basic Auth #1474

Merged
merged 1 commit into from Mar 16, 2015
Merged

Require Colon in Basic Auth #1474

merged 1 commit into from Mar 16, 2015

Conversation

erykwalder
Copy link
Contributor

Going by RFC 2617, it seems that a colon is required in the base64 encoded user-pass.

   To receive authorization, the client sends the userid and password,
   separated by a single colon (":") character, within a base64 [7]
   encoded string in the credentials.

      basic-credentials = base64-user-pass
      base64-user-pass  = <base64 [4] encoding of user-pass, except not limited to 76 char/line>
      user-pass   = userid ":" password
      userid      = *<TEXT excluding ":">
      password    = *TEXT

https://www.ietf.org/rfc/rfc2617.txt

Some servers handle the case of a missing colon, but others do not. For instance, the standard method in Golang for parsing basic auth requires a colon.
http://golang.org/src/net/http/request.go?s=16575:16641#L518

Rather than force users to specify an empty string, it would be preferable to treat an undefined password as an empty string.

simov
simov reviewed Mar 11, 2015
View reviewed changes
lib/auth.js
self.user = user
self.pass = pass
self.hasAuth = true
var header = typeof pass !== 'undefined' ? user + ':' + pass : user
var header = user + ':' + pass
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could that be

var header = user + ':' + (pass === undefined ? '' : pass)

or if null is supposed to be a falsy value like it should

var header = user + ':' + (pass || '')

@simov
Copy link
Member

simov commented Mar 11, 2015

Added a small comment, other than that if the RFC say so, it should be that way 👍

@erykwalder
Copy link
Contributor Author

@simov Addressed your feedback

nickmccurdy
nickmccurdy reviewed Mar 11, 2015
View reviewed changes
tests/test-basic-auth.js
@@ -22,8 +22,6 @@ tape('setup', function(t) {
ok = true
} else if ( req.headers.authorization === 'Basic ' + new Buffer(':pass').toString('base64')) {
ok = true
} else if ( req.headers.authorization === 'Basic ' + new Buffer('user').toString('base64')) {
ok = true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we keep this test and change ok to false, so we'll have a regression test for this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing these lines gives us the regression test, since the default is ok = false.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, thanks for the explanation.

@simov simov mentioned this pull request Mar 16, 2015
Closed
@nylen
Copy link
Member

nylen commented Mar 16, 2015

LGTM 😎

nylen added a commit that referenced this pull request Mar 16, 2015
@nylen
Merge pull request #1474 from erykwalder/master
1774b03 
Require Colon in Basic Auth
@nylen nylen merged commit 1774b03 into request:master Mar 16, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@erykwalder @simov @nylen @nickmccurdy