[x] Added tests for code changes or test/build only changes
[x] Updated the change log file (CHANGES.md|CHANGELOG.md) or test/build only changes
[x] Completed the PR template below:
Description
Use application/json for _session POST of cookie auth
1. Steps to reproduce and the simplest code sample possible to demonstrate the issue
Pass a url containing percent-encoded user information.
2. What you expected to happen
cookieauth plugin session authentication to work correctly
3. What actually happened
401 unauthorized because the credentials were double encoded.
Approach
Decoded credentials from URL before passing to CookieTokenManager.
Prevents double encoding if passed in a form body
Modified CookieTokenManager to use json body instead of form encoded anyway
Improved documentation of characters that must be encoded.
Schema & API Changes
No change
Security and Privacy
Insignificant changes to handling of credentials
For cookieauth credentials are now posted in a JSON body instead of as form encoded data, but it is the same request body as previously (i.e. if the server is https then the body containing the creds will be encrypted)
Preferentially credentials should be passed in the username and password configuration options instead, but in the case where they are passed in the URL user info it is now documented what characters must be encoded.
Testing
Modified existing cookieauth tests to use a password with special characters.
Additional manual testing of credentials passed in URL.
Checklist
CHANGES.md
|CHANGELOG.md
) or test/build only changesDescription
Use
application/json
for_session
POST of cookie auth1. Steps to reproduce and the simplest code sample possible to demonstrate the issue
Pass a
url
containing percent-encoded user information.2. What you expected to happen
cookieauth plugin session authentication to work correctly
3. What actually happened
401 unauthorized
because the credentials were double encoded.Approach
CookieTokenManager
.json
body instead ofform
encoded anywaySchema & API Changes
Security and Privacy
Insignificant changes to handling of credentials
username
andpassword
configuration options instead, but in the case where they are passed in the URL user info it is now documented what characters must be encoded.Testing
cookieauth
tests to use a password with special characters.Monitoring and Logging