mirror of
https://github.com/labstack/echo.git
synced 2024-12-24 20:14:31 +02:00
fix: basic auth invalid base64 string (#2191)
* fix: basic auth returns 400 on invalid base64 string
This commit is contained in:
parent
d5f883707b
commit
b0453b98e0
@ -4,6 +4,7 @@ import (
|
||||
"encoding/base64"
|
||||
"strconv"
|
||||
"strings"
|
||||
"net/http"
|
||||
|
||||
"github.com/labstack/echo/v4"
|
||||
)
|
||||
@ -74,10 +75,13 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
|
||||
l := len(basic)
|
||||
|
||||
if len(auth) > l+1 && strings.EqualFold(auth[:l], basic) {
|
||||
// Invalid base64 shouldn't be treated as error
|
||||
// instead should be treated as invalid client input
|
||||
b, err := base64.StdEncoding.DecodeString(auth[l+1:])
|
||||
if err != nil {
|
||||
return err
|
||||
return echo.NewHTTPError(http.StatusBadRequest).SetInternal(err)
|
||||
}
|
||||
|
||||
cred := string(b)
|
||||
for i := 0; i < len(cred); i++ {
|
||||
if cred[i] == ':' {
|
||||
|
@ -58,6 +58,12 @@ func TestBasicAuth(t *testing.T) {
|
||||
assert.Equal(http.StatusUnauthorized, he.Code)
|
||||
assert.Equal(basic+` realm="someRealm"`, res.Header().Get(echo.HeaderWWWAuthenticate))
|
||||
|
||||
// Invalid base64 string
|
||||
auth = basic + " invalidString"
|
||||
req.Header.Set(echo.HeaderAuthorization, auth)
|
||||
he = h(c).(*echo.HTTPError)
|
||||
assert.Equal(http.StatusBadRequest, he.Code)
|
||||
|
||||
// Missing Authorization header
|
||||
req.Header.Del(echo.HeaderAuthorization)
|
||||
he = h(c).(*echo.HTTPError)
|
||||
|
Loading…
Reference in New Issue
Block a user