diff --git a/src/middleware/basic-auth/index.ts b/src/middleware/basic-auth/index.ts index 3c1cad5e..f1a2c379 100644 --- a/src/middleware/basic-auth/index.ts +++ b/src/middleware/basic-auth/index.ts @@ -5,32 +5,9 @@ import type { Context } from '../../context' import { HTTPException } from '../../http-exception' -import type { HonoRequest } from '../../request' import type { MiddlewareHandler } from '../../types' +import { auth } from '../../utils/basic-auth' import { timingSafeEqual } from '../../utils/buffer' -import { decodeBase64 } from '../../utils/encode' - -const CREDENTIALS_REGEXP = /^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9._~+/-]+=*) *$/ -const USER_PASS_REGEXP = /^([^:]*):(.*)$/ -const utf8Decoder = new TextDecoder() -const auth = (req: HonoRequest) => { - const match = CREDENTIALS_REGEXP.exec(req.header('Authorization') || '') - if (!match) { - return undefined - } - - let userPass = undefined - // If an invalid string is passed to atob(), it throws a `DOMException`. - try { - userPass = USER_PASS_REGEXP.exec(utf8Decoder.decode(decodeBase64(match[1]))) - } catch {} // Do nothing - - if (!userPass) { - return undefined - } - - return { username: userPass[1], password: userPass[2] } -} type BasicAuthOptions = | { @@ -98,7 +75,7 @@ export const basicAuth = ( } return async function basicAuth(ctx, next) { - const requestUser = auth(ctx.req) + const requestUser = auth(ctx.req.raw) if (requestUser) { if (verifyUserInOptions) { if (await options.verifyUser(requestUser.username, requestUser.password, ctx)) { diff --git a/src/utils/basic-auth.test.ts b/src/utils/basic-auth.test.ts new file mode 100644 index 00000000..01e15dae --- /dev/null +++ b/src/utils/basic-auth.test.ts @@ -0,0 +1,57 @@ +import { HonoRequest } from '../request' +import { auth } from './basic-auth' + +describe('auth', () => { + it('auth() - not include Authorization Header', () => { + const res = auth(new Request('http://localhost/auth')) + expect(res).toBeUndefined() + }) + + it('auth() - invalid Authorization Header format', () => { + const res = auth( + new Request('http://localhost/auth', { + headers: { Authorization: 'InvalidAuthHeader' }, + }) + ) + expect(res).toBeUndefined() + }) + + it('auth() - invalid Base64 string in Authorization Header', () => { + const res = auth( + new Request('http://localhost/auth', { + headers: { Authorization: 'Basic InvalidBase64' }, + }) + ) + expect(res).toBeUndefined() + }) + + it('auth() - valid Authorization Header', () => { + const validBase64 = btoa('username:password') + const res = auth( + new Request('http://localhost/auth', { + headers: { Authorization: `Basic ${validBase64}` }, + }) + ) + expect(res).toEqual({ username: 'username', password: 'password' }) + }) + + it('auth() - empty username', () => { + const validBase64 = btoa(':password') + const res = auth( + new Request('http://localhost/auth', { + headers: { Authorization: `Basic ${validBase64}` }, + }) + ) + expect(res).toEqual({ username: '', password: 'password' }) + }) + + it('auth() - empty password', () => { + const validBase64 = btoa('username:') + const res = auth( + new Request('http://localhost/auth', { + headers: { Authorization: `Basic ${validBase64}` }, + }) + ) + expect(res).toEqual({ username: 'username', password: '' }) + }) +}) diff --git a/src/utils/basic-auth.ts b/src/utils/basic-auth.ts new file mode 100644 index 00000000..a2efa881 --- /dev/null +++ b/src/utils/basic-auth.ts @@ -0,0 +1,26 @@ +import { decodeBase64 } from './encode' + +const CREDENTIALS_REGEXP = /^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9._~+/-]+=*) *$/ +const USER_PASS_REGEXP = /^([^:]*):(.*)$/ +const utf8Decoder = new TextDecoder() + +export type Auth = (req: Request) => { username: string; password: string } | undefined + +export const auth: Auth = (req: Request) => { + const match = CREDENTIALS_REGEXP.exec(req.headers.get('Authorization') || '') + if (!match) { + return undefined + } + + let userPass = undefined + // If an invalid string is passed to atob(), it throws a `DOMException`. + try { + userPass = USER_PASS_REGEXP.exec(utf8Decoder.decode(decodeBase64(match[1]))) + } catch {} // Do nothing + + if (!userPass) { + return undefined + } + + return { username: userPass[1], password: userPass[2] } +}