Comments (5)
This reminds me of rails, which includes a dummy utf8=✓
query string param in forms to force older IE versions to use utf-8 encoding. I wonder if the same trick would work for basic auth.
from basic-auth.
Hmm, odd. Can you paste what the raw authorization
header you're getting from IE is? Also, can you see if this still happens if you use the following server code?
var http = require('http')
var auth = require('basic-auth')
// Create server
var server = http.createServer(function (req, res) {
var credentials = auth(req)
console.log(credentials);
if (!credentials || credentials.name !== 'john' || credentials.pass !== 'secret') {
res.statusCode = 401
res.setHeader('Content-Type', 'text/plain; charset=utf-8')
res.setHeader('WWW-Authenticate', 'Basic realm="example"')
res.end('Access denied')
} else {
res.setHeader('Content-Type', 'text/plain; charset=utf-8')
res.end('Access granted')
}
})
// Listen
server.listen(3000)
from basic-auth.
same as before:
$ node app.js
Credentials { name: 'hello', pass: '�stillthere?' }
here the headers:
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US, en; q=0.8, it-IT; q=0.5, it; q=0.3
Authorization: Basic aGVsbG86o3N0aWxsdGhlcmU/
Connection: Keep-Alive
Host: 10.0.0.1:3000
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Thanks
from basic-auth.
So what is happening is that IE is encoding the password as latin1, which means the password is coming through as Buffer<a3 73 74 69 6c 6c 74 68 65 72 65 3f>
, where Buffer<a3>
is the £
character in latin1. This module is expecting the username and password just to be encoded in UTF-8 (which it looks like Chrome is sending). As far as I know, there is no possible way to detect in what encoding the browser is actually sending this, so that leaves two possible options:
- I can add an options object where you specify the encoding you are expecting. Of course, that means that if you set that to latin1, it'll be garbled on Chrome now.
- I can add an option object where you can specify to just get the raw bytes of the password back, instead of a string. This will leave it up to you to work out the browser differences however you feel like.
Unfortunately the specification (RFC 7235) does not specify what the expected encoding is supposed to be. I would http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication which seems to have the best answer:
They use utf-8 (Chrome, Opera), iso-8859-1 (Safari), the system code page (IE) or something else (like only the most significant bit from utf-8 in the case of Firefox).
This means that at least the non-IE browser could use user-agent sniffing to determine the encoding, but since IE uses the configured system code page, it's impossible to ever figure out what IE is sending. The general recommendation around the Internet seems to be to not use Basic auth if the username / password is going to be outside of US-ASCII.
from basic-auth.
Btw. RFC 7617 Section 2.1 also mentions that the charset can be specified as part of the WWW-Authenticate
header:
WWW-Authenticate: Basic realm="foo", charset="UTF-8"
I wouldn't get my hopes up about IE supporthing that though, judging from:
Issue #11879588 – Support the 'charset' auth-param in basic authentication
from basic-auth.
Related Issues (20)
- Logout HOT 1
- Cannot read property 'nodemon' of undefined HOT 1
- Not able to install Basic-auth on windows 10. HOT 2
- Add support for es6 default import HOT 2
- Add support for URL encoding HOT 3
- Use constant-time comparison to prevent timing attacks. HOT 2
- Is the example w/ express? and example w/ express routes? (eom) HOT 5
- Questions about realms HOT 3
- Does not work when missing colon HOT 6
- Example in documentation is vulnerable to timing attack HOT 1
- Passing basic http credentials in URI HOT 3
- How to properly use `crypto.timingSafeEqual(a, b)`? HOT 27
- Vulnerabilities found HOT 3
- Question: Any breaking change from 1.1.0 -> 2.0.1 ? Can't find any CHANGELOG HOT 1
- Header is case sensitive HOT 5
- Security Vulnerability pick up by Fortify Scan (basic-auth) HOT 1
- How do i remove the pop up and make a custom html login page with basic-auth? HOT 1
- Value of validation token HOT 1
- Disallow control characters in `user-id` and `password` to be RFC-compliant. HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from basic-auth.