search

jshttp / basic-auth

Generic basic auth Authorization header field parser
MIT License
703 stars 86 forks source link

Special character in password using IE #32

Closed sebbalex closed 1 month ago

sebbalex commented 7 years ago

Hello, I got a strange behavior using even the example code:

var http = require('http')
var auth = require('basic-auth')

// Create server 
var server = http.createServer(function (req, res) {
  var credentials = auth(req)
  console.log(credentials); 
  if (!credentials || credentials.name !== 'john' || credentials.pass !== 'secret') {
    res.statusCode = 401
    res.setHeader('WWW-Authenticate', 'Basic realm="example"')
    res.end('Access denied')
  } else {
    res.end('Access granted')
  }
})

// Listen 
server.listen(3000)

If I login with chrome everything is fine, using IE (7,8,9) the special char "£" is not converted correctly.

Chrome:

Credentials { name: 'hello', pass: '£there' }

IE:

Credentials { name: 'hello', pass: '�there' }
dougwilson commented 7 years ago

Hmm, odd. Can you paste what the raw authorization header you're getting from IE is? Also, can you see if this still happens if you use the following server code?

var http = require('http')
var auth = require('basic-auth')

// Create server
var server = http.createServer(function (req, res) {
  var credentials = auth(req)
  console.log(credentials);
  if (!credentials || credentials.name !== 'john' || credentials.pass !== 'secret') {
    res.statusCode = 401
    res.setHeader('Content-Type', 'text/plain; charset=utf-8')
    res.setHeader('WWW-Authenticate', 'Basic realm="example"')
    res.end('Access denied')
  } else {
    res.setHeader('Content-Type', 'text/plain; charset=utf-8')
    res.end('Access granted')
  }
})

// Listen
server.listen(3000)
sebbalex commented 7 years ago

same as before:

$ node app.js 
Credentials { name: 'hello', pass: '�stillthere?' }

here the headers:

Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US, en; q=0.8, it-IT; q=0.5, it; q=0.3
Authorization: Basic aGVsbG86o3N0aWxsdGhlcmU/
Connection: Keep-Alive
Host: 10.0.0.1:3000
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)

Thanks

dougwilson commented 7 years ago

So what is happening is that IE is encoding the password as latin1, which means the password is coming through as Buffer<a3 73 74 69 6c 6c 74 68 65 72 65 3f>, where Buffer<a3> is the £ character in latin1. This module is expecting the username and password just to be encoded in UTF-8 (which it looks like Chrome is sending). As far as I know, there is no possible way to detect in what encoding the browser is actually sending this, so that leaves two possible options:

  1. I can add an options object where you specify the encoding you are expecting. Of course, that means that if you set that to latin1, it'll be garbled on Chrome now.
  2. I can add an option object where you can specify to just get the raw bytes of the password back, instead of a string. This will leave it up to you to work out the browser differences however you feel like.

Unfortunately the specification (RFC 7235) does not specify what the expected encoding is supposed to be. I would http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication which seems to have the best answer:

They use utf-8 (Chrome, Opera), iso-8859-1 (Safari), the system code page (IE) or something else (like only the most significant bit from utf-8 in the case of Firefox).

This means that at least the non-IE browser could use user-agent sniffing to determine the encoding, but since IE uses the configured system code page, it's impossible to ever figure out what IE is sending. The general recommendation around the Internet seems to be to not use Basic auth if the username / password is going to be outside of US-ASCII.

felixbuenemann commented 6 years ago

This reminds me of rails, which includes a dummy utf8=✓ query string param in forms to force older IE versions to use utf-8 encoding. I wonder if the same trick would work for basic auth.

felixbuenemann commented 6 years ago

Btw. RFC 7617 Section 2.1 also mentions that the charset can be specified as part of the WWW-Authenticate header:

WWW-Authenticate: Basic realm="foo", charset="UTF-8"

I wouldn't get my hopes up about IE supporthing that though, judging from:

Issue #11879588 – Support the 'charset' auth-param in basic authentication