BasicStrategy should not require not empty user-id and password

Question

BasicStrategy should not require not empty user-id and password

pbuyle opened this issue 10 years ago · 4 comments

BasicStrategy requires non-empty user-id and password. But according to the specifications (http://tools.ietf.org/html/rfc1945#section-11.1), both the user-id and the password can be empty, only the ":" is required.

My use case is using Passport to authenticate a public OAuth2 client. Public client don't have a client secret. So they should not provide an empty password when authenticating using HTTP Basic Authentication.

Answer 1 · 2014-10-20T20:52:21.000Z

In my application, I mokey-patch the BasicStrategy to implement this.

BasicStrategy.prototype.authenticate = function(req) {
  var authorization = req.headers['authorization'];
  if (!authorization) { return this.fail(this._challenge()); }

  var parts = authorization.split(' ')
  if (parts.length < 2) { return this.fail(400); }

  var scheme = parts[0]
    , credentials = new Buffer(parts[1], 'base64').toString().split(':');

  if (!/Basic/i.test(scheme)) { return this.fail(this._challenge()); }

  var userid = credentials[0];
  var password = credentials[1];

  var self = this;

  function verified(err, user) {
    if (err) { return self.error(err); }
    if (!user) { return self.fail(self._challenge()); }
    self.success(user);
  }

  if (self._passReqToCallback) {
    this._verify(req, userid, password, verified);
  } else {
    this._verify(userid, password, verified);
  }
}

Answer 2 · 2014-10-28T04:12:18.000Z

I think this repo is no longer maintained by the creator

Answer 3 · 2015-04-30T08:12:52.000Z

This is a comment from the author saying that he is taking up again all passport-related repos:

#40 (comment)

Answer 4 · 2018-03-22T11:27:45.000Z

any updates on this one ?