1
0
mirror of https://github.com/labstack/echo.git synced 2024-12-24 20:14:31 +02:00

fix: basic auth invalid base64 string (#2191)

* fix: basic auth returns 400 on invalid base64 string
This commit is contained in:
welling guzmán 2022-05-27 18:44:51 +02:00 committed by GitHub
parent d5f883707b
commit b0453b98e0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 1 deletions

View File

@ -4,6 +4,7 @@ import (
"encoding/base64"
"strconv"
"strings"
"net/http"
"github.com/labstack/echo/v4"
)
@ -74,10 +75,13 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
l := len(basic)
if len(auth) > l+1 && strings.EqualFold(auth[:l], basic) {
// Invalid base64 shouldn't be treated as error
// instead should be treated as invalid client input
b, err := base64.StdEncoding.DecodeString(auth[l+1:])
if err != nil {
return err
return echo.NewHTTPError(http.StatusBadRequest).SetInternal(err)
}
cred := string(b)
for i := 0; i < len(cred); i++ {
if cred[i] == ':' {

View File

@ -58,6 +58,12 @@ func TestBasicAuth(t *testing.T) {
assert.Equal(http.StatusUnauthorized, he.Code)
assert.Equal(basic+` realm="someRealm"`, res.Header().Get(echo.HeaderWWWAuthenticate))
// Invalid base64 string
auth = basic + " invalidString"
req.Header.Set(echo.HeaderAuthorization, auth)
he = h(c).(*echo.HTTPError)
assert.Equal(http.StatusBadRequest, he.Code)
// Missing Authorization header
req.Header.Del(echo.HeaderAuthorization)
he = h(c).(*echo.HTTPError)