Improve handling of Basic Auth passwords (colons)

Hypertopic / AAAforREST

An HTTP reverse proxy to bring authentication, authorization and accounting to RESTful applications

GNU Affero General Public License v3.0

6 stars 5 forks source link

Improve handling of Basic Auth passwords (colons) #37

Closed punkeel closed 8 years ago

punkeel commented 8 years ago

In order to respect RFC 2617, the server must accept any password matching the following requirements:

      user-pass   = userid ":" password
      userid      = *<TEXT excluding ":">
      password    = *TEXT

The former implementation did not respect this, and did not take in account the : character in the password field.

The new implementation assumes that the usernames ends when the colon is found (so it can't contain one), and uses the other part of the token as the password.

punkeel commented 8 years ago

Linked issue: #36

punkeel commented 8 years ago

NB: Travis failed because it's not up to date, but that's not the point of this PR, so it won't be fixed.

benel commented 8 years ago

Thank you very much for contributing.