Basic: Fix auth when password contains colon

jaredhanson / passport-http

HTTP Basic and Digest authentication strategies for Passport and Node.js.

https://www.passportjs.org/packages/passport-http/?utm_source=github&utm_medium=referral&utm_campaign=passport-http&utm_content=about

MIT License

268 stars 110 forks source link

Basic: Fix auth when password contains colon #69

Open FlorianSW opened 7 years ago

FlorianSW commented 7 years ago

A colon is a valid character in the password, however currently the chars including and after the colon are stripped of the password which leads in false-positives (user can't login even if the password is correct). This commit fixes that.

Fixes #20

warlin16 commented 4 years ago

Can we please merge this in? This fixes a critical issue for an application I'm working on.

gkTim commented 4 years ago

Please merge this PR we need this fix asap

TheDen commented 5 months ago

Any reason why this hasn't been merged? IMO it's also a sec issue since it lowers entropy of passwords. Users can base64 encode to get around this I suppose, but it's not ideal

BradLewis commented 5 months ago

I think this project might just be dead given this PR has been up for 7 years, and the original issue (https://github.com/jaredhanson/passport-http/issues/20) + PR (https://github.com/jaredhanson/passport-http/pull/21) have been up for over 10 years.