Skip to content

Commit

Permalink
Improve Auth Header Parsing
Browse files Browse the repository at this point in the history
Related: #105

Use the URL safe version of base64 decoding. Don't break
when comparing secret keys to advert possible timing attacks.
Add tests for auth parsing.
  • Loading branch information
ryandotsmith committed Aug 16, 2013
1 parent 27b6331 commit cfa2fc0
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 2 deletions.
4 changes: 2 additions & 2 deletions auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ var (
keys []*fernet.Key
)


func init() {
s := os.Getenv("SECRETS")
if len(s) > 0 {
Expand Down Expand Up @@ -50,7 +51,7 @@ func Parse(authLine string) (string, error) {
return "", errors.New("Authorization must be basic.")
}
payload := parts[1]
decodedPayload, err := base64.StdEncoding.DecodeString(payload)
decodedPayload, err := base64.URLEncoding.DecodeString(payload)
if err != nil {
return "", err
}
Expand Down Expand Up @@ -80,7 +81,6 @@ func ServeHTTP(w http.ResponseWriter, r *http.Request) {
for i := range keys {
if user == keys[i].Encode() {
matched = true
break
}
}
if !matched {
Expand Down
22 changes: 22 additions & 0 deletions auth/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,25 @@ func testEncryptDecrypt(t *testing.T, ts authTest) {
t.Fatalf("actual=%q expected=%q\n", actualOutput, ts.output)
}
}

var parseTests = []struct{
input string
output string
}{
{
"Basic QmVjc3RzWVNrSlkzM1VzOTFrZ2w2cVB1Ykhvd1dYY3FhQnhxaHU3TnU2Xz06",
"BecstsYSkJY33Us91kgl6qPubHowWXcqaBxqhu7Nu6_=",
},
}

func TestParse(t *testing.T) {
for _, ts := range parseTests {
res, err := Parse(ts.input)
if err != nil {
t.Fatal(err)
}
if res != ts.output {
t.Fatalf("acutal=%s expected=%s\n", res, ts.output)
}
}
}

0 comments on commit cfa2fc0

Please sign in to comment.