search

Hypertopic / AAAforREST

An HTTP reverse proxy to bring authentication, authorization and accounting to RESTful applications
GNU Affero General Public License v3.0
6 stars 5 forks source link

Passwords containing `:` #36

Closed benel closed 8 years ago

benel commented 8 years ago

... are not properly parsed.

This is due to the way HTTP basic authentication is parsed: token.split(':')[1] is not necessarily the whole password.

benel commented 8 years ago

In proxy.js, try to replace:

    login: credentials[0],
    password: credentials.length>1 ? credentials[1] : ""

with

    login: credentials.shift(),
    password: credentials.length>0 ? credentials.join(':') : ""
punkeel commented 8 years ago

Hi, I'm hit by this bug and can't login to the IF14 website

benel commented 8 years ago

@PunKeel If you're speaking about your university LDAP password, it can be changed through the university digital work environment (ENT).

punkeel commented 8 years ago

Why don't you just merge the code into master ?

(BTW there is no need for the length check, as [].join(...) is the empty string)

benel commented 8 years ago

(BTW there is no need for the length check, as [].join(...) is the empty string)

True.

Why don't you just merge the code into master ?

Because right now I don't have the time to test it (and as you saw it, continuous integration is broken) so I prefer my colleagues to do it.

benel commented 8 years ago

Fixed by commit 729708e81e9034ba2681024da4f16a43e5d772a2.

@PunKeel Thank you very much for your nice contribution. Feel free to contact me for a student job or project (aka TX) on next semester.