Fix for HTTP Basic Auth when base64 encoded string wraps

When using a token longer than approximately 45 characters, the base64 encoded string passed in the HTTP_AUTHORIZATION header will contain newline characters. The existing implementation used a regex which didn't handle this case correctly.
2022-11-09 12:18:31 -05:00 · 2010-11-15 07:45:56 +08:00 · 2010-11-15 07:45:56 +08:00 · 19219cbe0f
commit 19219cbe0f
parent 32c6f7b00b
2 changed files with 11 additions and 1 deletions
--- a/lib/devise/strategies/authenticatable.rb
+++ b/lib/devise/strategies/authenticatable.rb
@ -97,7 +97,7 @@ module Devise
      # Helper to decode credentials from HTTP.
      def decode_credentials
        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/
-        ActiveSupport::Base64.decode64($1).split(/:/, 2)
+        ActiveSupport::Base64.decode64(request.authorization.split(' ', 2).last).split(/:/, 2)
      end

      # Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
--- a/test/integration/http_authenticatable_test.rb
+++ b/test/integration/http_authenticatable_test.rb
@ -47,6 +47,16 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
    end
  end

+  test 'sign in should authenticate with really long token' do
+    token = "token_containing_so_many_characters_that_the_base64_encoding_will_wrap"
+    user = create_user
+    user.update_attribute :authentication_token, token
+    get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "Basic #{ActiveSupport::Base64.encode64("#{token}:x")}"
+    assert_response :success
+    assert_match "<email>user@test.com</email>", response.body
+    assert warden.authenticated?(:user)
+  end
+  
  private

    def sign_in_as_new_user_with_http(username="user@test.com", password="123456")