Comments (6)
dougwilson
commented on July 20, 2024
Hello, and thank you for your issue. You are correct regarding RFC 7617, although this module is written to RFC 2617, as this module was created prior to the existence of 7617.
It is possible that a future version of this module can update to instead follow RFC 7617 as a breaking change, though I don't see the exact purpose to make it more strict and break existing applications.
We could always add an option to the parser to choose with RFC to follow, would that be of interest to you?
from basic-auth.
dougwilson
commented on July 20, 2024
I do see that TEXT is defined as follows, however:
TEXT = <any OCTET except CTLs,
but including LWS>
which looks like it also excludes certain CTL characters. I think we can release a 2.0 that adds this restriction. I need to think about if it should returned undefined or throw under this condition. Not sure if you have any thoughts on it or not.
from basic-auth.
issuefiler
commented on July 20, 2024
That’s right: RFC 2617 forbids all control characters but linear whitespace, and its successor, RFC 7617, simply forbids all of them including linear whitespace. Hence the original title of this issue.
I was just reporting it to inform you, not expecting an immediate “fix.” With this notice, you can do as you please with your package.
Releasing a new version with this restriction sounds good, by the way.
from basic-auth.
issuefiler
commented on July 20, 2024
If you don’t mind, may I change the title back?
from basic-auth.
issuefiler
commented on July 20, 2024
And I believe it should return undefined, not throw, just like how invalid, malformed Authorization header field values are currently handled, so that it can be handled in the same manner (with 401 Unauthorized responses).
Lines 107 to 112 in e8a29f9
RFC 9110 — HTTP semantics
11.4. Credentials
Upon receipt of a request for a protected resource that omits credentials, contains invalid credentials (e.g., a bad password) or partial credentials (e.g., when the authentication scheme requires more than one round trip), an origin server SHOULD send a
401 Unauthorizedresponse that contains aWWW-Authenticateheader field with at least one (possibly new) challenge applicable to the requested resource.
from basic-auth.
issuefiler
commented on July 20, 2024
I also doubt the need for “an option for the parser to choose between the RFC 2617 and RFC 7617 modes,” because,
compared to RFC 7617, the characters that RFC 2617 additionally supports in user-id and password are:
- Carriage Return (␍/13),
- Line Feed (␊/10),
- and Horizontal Tab (␉/9),
which, innocent, sane users wouldn’t use in their usernames and passwords to sign in. Following the obsolete standard, RFC 2617, only benefits malicious attackers.
Internet Engineering Task Force (IETF) J. Reschke
Request for Comments: 7617 greenbytes
Obsoletes: 2617 September 2015
from basic-auth.
Related Issues (20)
- Logout HOT 1
- Cannot read property 'nodemon' of undefined HOT 1
- Not able to install Basic-auth on windows 10. HOT 2
- Add support for es6 default import HOT 2
- Add support for URL encoding HOT 3
- Use constant-time comparison to prevent timing attacks. HOT 2
- Is the example w/ express? and example w/ express routes? (eom) HOT 5
- Questions about realms HOT 3
- Special character in password using IE HOT 5
- Does not work when missing colon HOT 6
- Example in documentation is vulnerable to timing attack HOT 1
- Passing basic http credentials in URI HOT 3
- How to properly use `crypto.timingSafeEqual(a, b)`? HOT 27
- Vulnerabilities found HOT 3
- Question: Any breaking change from 1.1.0 -> 2.0.1 ? Can't find any CHANGELOG HOT 1
- Header is case sensitive HOT 5
- Security Vulnerability pick up by Fortify Scan (basic-auth) HOT 1
- How do i remove the pop up and make a custom html login page with basic-auth? HOT 1
- Value of validation token HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from basic-auth.