Code Monkey home page Code Monkey logo

Comments (6)

dougwilson avatar dougwilson commented on July 1, 2024

Hello, and thank you for your issue. You are correct regarding RFC 7617, although this module is written to RFC 2617, as this module was created prior to the existence of 7617.

It is possible that a future version of this module can update to instead follow RFC 7617 as a breaking change, though I don't see the exact purpose to make it more strict and break existing applications.

We could always add an option to the parser to choose with RFC to follow, would that be of interest to you?

from basic-auth.

dougwilson avatar dougwilson commented on July 1, 2024

I do see that TEXT is defined as follows, however:

       TEXT           = <any OCTET except CTLs,
                        but including LWS>

which looks like it also excludes certain CTL characters. I think we can release a 2.0 that adds this restriction. I need to think about if it should returned undefined or throw under this condition. Not sure if you have any thoughts on it or not.

from basic-auth.

issuefiler avatar issuefiler commented on July 1, 2024

That’s right: RFC 2617 forbids all control characters but linear whitespace, and its successor, RFC 7617, simply forbids all of them including linear whitespace. Hence the original title of this issue.

I was just reporting it to inform you, not expecting an immediate “fix.” With this notice, you can do as you please with your package.

Releasing a new version with this restriction sounds good, by the way.

from basic-auth.

issuefiler avatar issuefiler commented on July 1, 2024

If you don’t mind, may I change the title back?

from basic-auth.

issuefiler avatar issuefiler commented on July 1, 2024

And I believe it should return undefined, not throw, just like how invalid, malformed Authorization header field values are currently handled, so that it can be handled in the same manner (with 401 Unauthorized responses).

basic-auth/index.js

Lines 107 to 112 in e8a29f9

// parse header
var match = CREDENTIALS_REGEXP.exec(string)
if (!match) {
return undefined
}


RFC 9110 — HTTP semantics

11.4. Credentials

Upon receipt of a request for a protected resource that omits credentials, contains invalid credentials (e.g., a bad password) or partial credentials (e.g., when the authentication scheme requires more than one round trip), an origin server SHOULD send a 401 Unauthorized response that contains a WWW-Authenticate header field with at least one (possibly new) challenge applicable to the requested resource.

from basic-auth.

issuefiler avatar issuefiler commented on July 1, 2024

I also doubt the need for “an option for the parser to choose between the RFC 2617 and RFC 7617 modes,” because,

compared to RFC 7617, the characters that RFC 2617 additionally supports in user-id and password are:

  • Carriage Return (␍/13),
  • Line Feed (␊/10),
  • and Horizontal Tab (␉/9),

which, innocent, sane users wouldn’t use in their usernames and passwords to sign in. Following the obsolete standard, RFC 2617, only benefits malicious attackers.

Internet Engineering Task Force (IETF)                        J. Reschke
Request for Comments: 7617                                    greenbytes
Obsoletes: 2617                                           September 2015

from basic-auth.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.