Require password for basic authentication

Empty passwords are still allowed, but there must be a colon to separate username from password, as required by RFC 2617. Fixes #1138
author: Jeremy Evans <code@jeremyevans.net> 2020-01-16 12:17:56 -0800
committer: Jeremy Evans <code@jeremyevans.net> 2020-01-16 12:35:24 -0800
commit: 4e7ccf55985a4d3a3f1c69c138f76b2336fc7719 (patch)
tree: e8ebb2987862ed56ded225eb9e28c80a9379d833
parent: 3b15befa7f741e52ebe7bf9f648460a06f3915c8 (diff)
download: rack-4e7ccf55985a4d3a3f1c69c138f76b2336fc7719.tar.gz
2 files changed, 10 insertions, 1 deletions
diff --git a/lib/rack/auth/basic.rb b/lib/rack/auth/basic.rb
index d334939c..b61bfffe 100644
--- a/lib/rack/auth/basic.rb
+++ b/lib/rack/auth/basic.rb
@@ -44,7 +44,7 @@ module Rack
 
       class Request < Auth::AbstractRequest
         def basic?
-          "basic" == scheme
+          "basic" == scheme && credentials.length == 2
         end
 
         def credentials
diff --git a/test/spec_auth_basic.rb b/test/spec_auth_basic.rb
index 3e479ace..79d034b8 100644
--- a/test/spec_auth_basic.rb
+++ b/test/spec_auth_basic.rb
@@ -84,6 +84,15 @@ describe Rack::Auth::Basic do
     end
   end
 
+  it 'return 400 Bad Request for a authorization header with only username' do
+    auth = 'Basic ' + ['foo'].pack("m*")
+    request 'HTTP_AUTHORIZATION' => auth do |response|
+      response.must_be :client_error?
+      response.status.must_equal 400
+      response.wont_include 'WWW-Authenticate'
+    end
+  end
+
   it 'takes realm as optional constructor arg' do
     app = Rack::Auth::Basic.new(unprotected_app, realm) { true }
     realm.must_equal app.realm
author	Jeremy Evans <code@jeremyevans.net>	2020-01-16 12:17:56 -0800
committer	Jeremy Evans <code@jeremyevans.net>	2020-01-16 12:35:24 -0800
commit	4e7ccf55985a4d3a3f1c69c138f76b2336fc7719 (patch)
tree	e8ebb2987862ed56ded225eb9e28c80a9379d833
parent	3b15befa7f741e52ebe7bf9f648460a06f3915c8 (diff)
download	rack-4e7ccf55985a4d3a3f1c69c138f76b2336fc7719.tar.gz