echo/middleware/basic_auth_test.go

// SPDX-License-Identifier: MIT
// SPDX-FileCopyrightText: © 2015 LabStack LLC and Echo contributors

package middleware

import (
	"encoding/base64"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"

	"github.com/labstack/echo/v4"
	"github.com/stretchr/testify/assert"
)

func TestBasicAuth(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	res := httptest.NewRecorder()
	c := e.NewContext(req, res)
	f := func(u, p string, c echo.Context) (bool, error) {
		if u == "joe" && p == "secret" {
			return true, nil
		}
		return false, nil
	}
	h := BasicAuth(f)(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	// Valid credentials
	auth := basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:secret"))
	req.Header.Set(echo.HeaderAuthorization, auth)
	assert.NoError(t, h(c))

	h = BasicAuthWithConfig(BasicAuthConfig{
		Validator: f,
		Realm:     "someRealm",
	})(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	// Valid credentials
	auth = basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:secret"))
	req.Header.Set(echo.HeaderAuthorization, auth)
	assert.NoError(t, h(c))

	// Case-insensitive header scheme
	auth = strings.ToUpper(basic) + " " + base64.StdEncoding.EncodeToString([]byte("joe:secret"))
	req.Header.Set(echo.HeaderAuthorization, auth)
	assert.NoError(t, h(c))

	// Invalid credentials
	auth = basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:invalid-password"))
	req.Header.Set(echo.HeaderAuthorization, auth)
	he := h(c).(*echo.HTTPError)
	assert.Equal(t, http.StatusUnauthorized, he.Code)
	assert.Equal(t, basic+` realm="someRealm"`, res.Header().Get(echo.HeaderWWWAuthenticate))

	// Invalid base64 string
	auth = basic + " invalidString"
	req.Header.Set(echo.HeaderAuthorization, auth)
	he = h(c).(*echo.HTTPError)
	assert.Equal(t, http.StatusBadRequest, he.Code)

	// Missing Authorization header
	req.Header.Del(echo.HeaderAuthorization)
	he = h(c).(*echo.HTTPError)
	assert.Equal(t, http.StatusUnauthorized, he.Code)

	// Invalid Authorization header
	auth = base64.StdEncoding.EncodeToString([]byte("invalid"))
	req.Header.Set(echo.HeaderAuthorization, auth)
	he = h(c).(*echo.HTTPError)
	assert.Equal(t, http.StatusUnauthorized, he.Code)

	h = BasicAuthWithConfig(BasicAuthConfig{
		Validator: f,
		Realm:     "someRealm",
		Skipper: func(c echo.Context) bool {
			return true
		},
	})(func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	})

	// Skipped Request
	auth = basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:skip"))
	req.Header.Set(echo.HeaderAuthorization, auth)
	assert.NoError(t, h(c))

}
Add SPDX licence comments to files. See https://spdx.dev/learn/handling-license-info/ (#2604) 2024-03-09 11:21:24 +02:00			`// SPDX-License-Identifier: MIT`
			`// SPDX-FileCopyrightText: © 2015 LabStack LLC and Echo contributors`

Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`package middleware`

			`import (`
			`"encoding/base64"`
			`"net/http"`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`"net/http/httptest"`
Basic scheme is case-insensitive (#1033) 2017-11-21 01:57:41 +02:00			`"strings"`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`"testing"`

Introduced Go module support as v4, removed obsolete CloseNotifier() mechanism This reintroduces support for Go modules, as v4. CloseNotifier() is removed as it has been obsoleted, see https://golang.org/doc/go1.11#net/http It was already NOT working (not sending signals) as of 1.11 the functionality was gone, we merely deleted the functions that exposed it. If anyone still relies on it they should migrate to using `c.Request().Context().Done()` instead. Closes #1268, #1255 2019-01-30 12:56:56 +02:00			`"github.com/labstack/echo/v4"`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestBasicAuth(t *testing.T) {`
			`e := echo.New()`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`res := httptest.NewRecorder()`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`c := e.NewContext(req, res)`
Fixed #938 Signed-off-by: Vishal Rana <vr@labstack.com> 2017-05-27 12:10:51 +02:00			`f := func(u, p string, c echo.Context) (bool, error) {`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`if u == "joe" && p == "secret" {`
Fixed #938 Signed-off-by: Vishal Rana <vr@labstack.com> 2017-05-27 12:10:51 +02:00			`return true, nil`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`}`
Fixed #938 Signed-off-by: Vishal Rana <vr@labstack.com> 2017-05-27 12:10:51 +02:00			`return false, nil`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`}`
			`h := BasicAuth(f)(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`// Valid credentials`
			`auth := basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:secret"))`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderAuthorization, auth)`
refactor assertions (#2301) 2022-10-12 20:47:21 +02:00			`assert.NoError(t, h(c))`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00
[FIX] Cleanup code (#1061) Code cleanup 2018-02-21 20:44:17 +02:00			`h = BasicAuthWithConfig(BasicAuthConfig{`
			`Validator: f,`
			`Realm: "someRealm",`
			`})(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`// Valid credentials`
			`auth = basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:secret"))`
			`req.Header.Set(echo.HeaderAuthorization, auth)`
refactor assertions (#2301) 2022-10-12 20:47:21 +02:00			`assert.NoError(t, h(c))`
[FIX] Cleanup code (#1061) Code cleanup 2018-02-21 20:44:17 +02:00
Basic scheme is case-insensitive (#1033) 2017-11-21 01:57:41 +02:00			`// Case-insensitive header scheme`
			`auth = strings.ToUpper(basic) + " " + base64.StdEncoding.EncodeToString([]byte("joe:secret"))`
			`req.Header.Set(echo.HeaderAuthorization, auth)`
refactor assertions (#2301) 2022-10-12 20:47:21 +02:00			`assert.NoError(t, h(c))`
Basic scheme is case-insensitive (#1033) 2017-11-21 01:57:41 +02:00
Added key auth middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2017-01-03 06:12:06 +02:00			`// Invalid credentials`
			`auth = basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:invalid-password"))`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderAuthorization, auth)`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`he := h(c).(*echo.HTTPError)`
refactor assertions (#2301) 2022-10-12 20:47:21 +02:00			`assert.Equal(t, http.StatusUnauthorized, he.Code)`
			assert.Equal(t, basic+` realm="someRealm"`, res.Header().Get(echo.HeaderWWWAuthenticate))
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00
fix: basic auth invalid base64 string (#2191) * fix: basic auth returns 400 on invalid base64 string 2022-05-27 18:44:51 +02:00			`// Invalid base64 string`
			`auth = basic + " invalidString"`
			`req.Header.Set(echo.HeaderAuthorization, auth)`
			`he = h(c).(*echo.HTTPError)`
refactor assertions (#2301) 2022-10-12 20:47:21 +02:00			`assert.Equal(t, http.StatusBadRequest, he.Code)`
fix: basic auth invalid base64 string (#2191) * fix: basic auth returns 400 on invalid base64 string 2022-05-27 18:44:51 +02:00
Added key auth middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2017-01-03 06:12:06 +02:00			`// Missing Authorization header`
			`req.Header.Del(echo.HeaderAuthorization)`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`he = h(c).(*echo.HTTPError)`
refactor assertions (#2301) 2022-10-12 20:47:21 +02:00			`assert.Equal(t, http.StatusUnauthorized, he.Code)`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00
			`// Invalid Authorization header`
			`auth = base64.StdEncoding.EncodeToString([]byte("invalid"))`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderAuthorization, auth)`
Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`he = h(c).(*echo.HTTPError)`
refactor assertions (#2301) 2022-10-12 20:47:21 +02:00			`assert.Equal(t, http.StatusUnauthorized, he.Code)`
Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator (#2461) * Add Skipper Unit Test In BasicBasicAuthConfig and Add More detail explanation regarding BasicAuthValidator * Simplify Skipper Unit Test 2024-02-18 15:47:13 +02:00
			`h = BasicAuthWithConfig(BasicAuthConfig{`
			`Validator: f,`
			`Realm: "someRealm",`
			`Skipper: func(c echo.Context) bool {`
			`return true`
			`},`
			`})(func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`})`

			`// Skipped Request`
			`auth = basic + " " + base64.StdEncoding.EncodeToString([]byte("joe:skip"))`
			`req.Header.Set(echo.HeaderAuthorization, auth)`
			`assert.NoError(t, h(c))`

Added method override middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-28 06:08:06 +02:00			`}`