Fixed basic auth middleware, closes #799

Signed-off-by: Vishal Rana <vr@labstack.com>
2024-11-28 08:38:39 +02:00 · 2017-01-05 12:12:31 -08:00 · 2017-01-05 12:12:31 -08:00 · 4cbef06bef
commit 4cbef06bef
parent bf317578d7
3 changed files with 7 additions and 15 deletions
--- a/middleware/basic_auth.go
+++ b/middleware/basic_auth.go
@ -2,7 +2,6 @@ package middleware

 import (
 	"encoding/base64"
-	"net/http"

 	"github.com/labstack/echo"
 )
@ -19,7 +18,7 @@ type (
 	}

 	// BasicAuthValidator defines a function to validate BasicAuth credentials.
-	BasicAuthValidator func(string, string) bool
+	BasicAuthValidator func(string, string, echo.Context) bool
 )

 const (
@ -36,8 +35,7 @@ var (
 // BasicAuth returns an BasicAuth middleware.
 //
 // For valid credentials it calls the next handler.
-// For invalid credentials, it sends "401 - Unauthorized" response.
-// For missing or invalid `Authorization` header, it sends "400 - Bad Request" response.
+// For missing or invalid credentials, it sends "401 - Unauthorized" response.
 func BasicAuth(fn BasicAuthValidator) echo.MiddlewareFunc {
 	c := DefaultBasicAuthConfig
 	c.Validator = fn
@ -62,9 +60,6 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
 			}

 			auth := c.Request().Header.Get(echo.HeaderAuthorization)
-			if auth == "" {
-				return echo.NewHTTPError(http.StatusBadRequest, "Missing authorization header")
-			}
 			l := len(basic)

 			if len(auth) > l+1 && auth[:l] == basic {
@ -76,13 +71,11 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
 				for i := 0; i < len(cred); i++ {
 					if cred[i] == ':' {
 						// Verify credentials
-						if config.Validator(cred[:i], cred[i+1:]) {
+						if config.Validator(cred[:i], cred[i+1:], c) {
 							return next(c)
 						}
 					}
 				}
-			} else {
-				return echo.NewHTTPError(http.StatusBadRequest, "Invalid authorization header")
 			}

 			// Need to return `401` for browsers to pop-up login box.
--- a/middleware/basic_auth_test.go
+++ b/middleware/basic_auth_test.go
@ -15,7 +15,7 @@ func TestBasicAuth(t *testing.T) {
 	req, _ := http.NewRequest(echo.GET, "/", nil)
 	res := httptest.NewRecorder()
 	c := e.NewContext(req, res)
-	f := func(u, p string) bool {
+	f := func(u, p string, c echo.Context) bool {
 		if u == "joe" && p == "secret" {
 			return true
 		}
@ -40,11 +40,11 @@ func TestBasicAuth(t *testing.T) {
 	// Missing Authorization header
 	req.Header.Del(echo.HeaderAuthorization)
 	he = h(c).(*echo.HTTPError)
-	assert.Equal(t, http.StatusBadRequest, he.Code)
+	assert.Equal(t, http.StatusUnauthorized, he.Code)

 	// Invalid Authorization header
 	auth = base64.StdEncoding.EncodeToString([]byte("invalid"))
 	req.Header.Set(echo.HeaderAuthorization, auth)
 	he = h(c).(*echo.HTTPError)
-	assert.Equal(t, http.StatusBadRequest, he.Code)
+	assert.Equal(t, http.StatusUnauthorized, he.Code)
 }
--- a/website/content/middleware/basic-auth.md
+++ b/website/content/middleware/basic-auth.md
@ -10,8 +10,7 @@ description = "Basic auth middleware for Echo"
 Basic auth middleware provides an HTTP basic authentication.

 - For valid credentials it calls the next handler.
- For invalid credentials, it sends "401 - Unauthorized" response.
- For missing or invalid `Authorization` header, it sends "400 - Bad Request" response.
+- For missing or invalid credentials, it sends "401 - Unauthorized" response.

 *Usage*