diff options
author | Jeremy Evans <code@jeremyevans.net> | 2020-01-16 12:17:56 -0800 |
---|---|---|
committer | Jeremy Evans <code@jeremyevans.net> | 2020-01-16 12:35:24 -0800 |
commit | 4e7ccf55985a4d3a3f1c69c138f76b2336fc7719 (patch) | |
tree | e8ebb2987862ed56ded225eb9e28c80a9379d833 | |
parent | 3b15befa7f741e52ebe7bf9f648460a06f3915c8 (diff) | |
download | rack-4e7ccf55985a4d3a3f1c69c138f76b2336fc7719.tar.gz |
Require password for basic authentication
Empty passwords are still allowed, but there must be a colon to
separate username from password, as required by RFC 2617.
Fixes #1138
-rw-r--r-- | lib/rack/auth/basic.rb | 2 | ||||
-rw-r--r-- | test/spec_auth_basic.rb | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/lib/rack/auth/basic.rb b/lib/rack/auth/basic.rb index d334939c..b61bfffe 100644 --- a/lib/rack/auth/basic.rb +++ b/lib/rack/auth/basic.rb @@ -44,7 +44,7 @@ module Rack class Request < Auth::AbstractRequest def basic? - "basic" == scheme + "basic" == scheme && credentials.length == 2 end def credentials diff --git a/test/spec_auth_basic.rb b/test/spec_auth_basic.rb index 3e479ace..79d034b8 100644 --- a/test/spec_auth_basic.rb +++ b/test/spec_auth_basic.rb @@ -84,6 +84,15 @@ describe Rack::Auth::Basic do end end + it 'return 400 Bad Request for a authorization header with only username' do + auth = 'Basic ' + ['foo'].pack("m*") + request 'HTTP_AUTHORIZATION' => auth do |response| + response.must_be :client_error? + response.status.must_equal 400 + response.wont_include 'WWW-Authenticate' + end + end + it 'takes realm as optional constructor arg' do app = Rack::Auth::Basic.new(unprotected_app, realm) { true } realm.must_equal app.realm |