Comments (6)
Hi @edgracilla I just tried running the EXAMPLE in the README over HTTPS on Google Chrome 59 and it worked just fine. Can you provide more information on how to reproduce your issue? If you're not sure where to start:
- The version of this module.
- The version of Node.js
- The web browser you're using
- If your web browser is indicating any kind of SSL certificate error
- Full source code showing the issue (ideally just use the example from the README).
- If you're not using the README example, provide instructions for how to reproduce.
Thanks!
from basic-auth.
Our app requires to capture 3 variations in basic auth (no user, user only, user and pass). Your regex fail to capture user only
and returns undefined
.
var userPassRegExp = /^([^:]*):(.*)$/
user:pass@localhost // Ok
user@localhost // Fail
from basic-auth.
Hi @edgracilla all three of those are required to have the :
in the content, as per the specification for basic auth (RFC 2617, since June 1999). You can even see that the web browsers follow this, for example here is what Chrome does when I enter only a username using the README example:
- Run the following app:
$ node -e 'require("http").createServer(function(req,res){console.dir(req.headers);res.writeHead(401,{"WWW-Authenticate":"Basic realm=\"example\""});res.end()}).listen(3000)'
Then navigate to http://localhost:3000 and enter just a username.
Then go back to the console to see the headers the web browser sent:
{ host: 'localhost:3000',
connection: 'keep-alive',
'cache-control': 'max-age=0',
authorization: 'Basic dXNlckBsb2NhbGhvc3Q6',
'upgrade-insecure-requests': '1',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'en-US,en;q=0.8' }
You can see the header sent by Chrome: Basic dXNlckBsb2NhbGhvc3Q6
If you un-base64-encode the basic header, you see the colon at the end:
$ node -pe 'new Buffer("dXNlckBsb2NhbGhvc3Q6","base64").toString()'
user@localhost:
What web browser re you using that is violating the basic auth specification?
from basic-auth.
We are not using any browser, our users (which is developers too) will utilize the https
module and will do the https.request()
. In this case, appending the ':
' to comply with the RFC might be an issue because not all of them are aware of the standard.
I already solved my issue using below basic POC codes to handle non-RFC compliant.
let decodeb64 = (str) => {
if (!str) return
let arr = str.split(' ')
if (arr.length === 2) {
str = Buffer.from(arr[1], 'base64').toString()
arr = str = str.split(':')
if (arr.length === 1) {
return {name: arr[0]}
} else if (arr.length === 2) {
return {name: arr[0], pass: arr[1]}
}
}
}
If your regex is RFC compliant then that would be fine and you may close this issue. But in the wild if newbie developer will do the basic auth by generating base64 manually and they are not aware of the RFC, no colons will be appended if it is user only.
{
'Authorization': `Basic ${new Buffer(conf.username).toString('base64')}`
}
from basic-auth.
Gotcha, I will close the issue, then. It sounds like the bug is in the client not this module. Standards exist as a point of agreement made between parties. This module complies with the standard, just the same as all software. If people are building a new implementation, that's great! Just build them to the standard the industry has been in agreement on for almost 20 years :)
from basic-auth.
If people are building a new implementation, that's great!
Yup, standard are standards. But not all devs are aware of every details of it. In my case, I just need to handle the fault of people who will not follow the standard. I just don't want to be bombarded with email/issue report that it is my apps fault. Saving time and energy by simply supporting the missing/forgotten colon 😁
from basic-auth.
Related Issues (20)
- Logout HOT 1
- Cannot read property 'nodemon' of undefined HOT 1
- Not able to install Basic-auth on windows 10. HOT 2
- Add support for es6 default import HOT 2
- Add support for URL encoding HOT 3
- Use constant-time comparison to prevent timing attacks. HOT 2
- Is the example w/ express? and example w/ express routes? (eom) HOT 5
- Questions about realms HOT 3
- Special character in password using IE HOT 5
- Example in documentation is vulnerable to timing attack HOT 1
- Passing basic http credentials in URI HOT 3
- How to properly use `crypto.timingSafeEqual(a, b)`? HOT 27
- Vulnerabilities found HOT 3
- Question: Any breaking change from 1.1.0 -> 2.0.1 ? Can't find any CHANGELOG HOT 1
- Header is case sensitive HOT 5
- Security Vulnerability pick up by Fortify Scan (basic-auth) HOT 1
- How do i remove the pop up and make a custom html login page with basic-auth? HOT 1
- Value of validation token HOT 1
- Disallow control characters in `user-id` and `password` to be RFC-compliant. HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from basic-auth.