From cfa2fc0cebd2586d9e2b9ee94905eed6e8cf5703 Mon Sep 17 00:00:00 2001 From: Ryan Smith Date: Fri, 16 Aug 2013 17:44:11 +0000 Subject: [PATCH] Improve Auth Header Parsing Related: #105 Use the URL safe version of base64 decoding. Don't break when comparing secret keys to advert possible timing attacks. Add tests for auth parsing. --- auth/auth.go | 4 ++-- auth/auth_test.go | 22 ++++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index fa9a8d4..8e44397 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -19,6 +19,7 @@ var ( keys []*fernet.Key ) + func init() { s := os.Getenv("SECRETS") if len(s) > 0 { @@ -50,7 +51,7 @@ func Parse(authLine string) (string, error) { return "", errors.New("Authorization must be basic.") } payload := parts[1] - decodedPayload, err := base64.StdEncoding.DecodeString(payload) + decodedPayload, err := base64.URLEncoding.DecodeString(payload) if err != nil { return "", err } @@ -80,7 +81,6 @@ func ServeHTTP(w http.ResponseWriter, r *http.Request) { for i := range keys { if user == keys[i].Encode() { matched = true - break } } if !matched { diff --git a/auth/auth_test.go b/auth/auth_test.go index 06bd0cd..7c43ae4 100644 --- a/auth/auth_test.go +++ b/auth/auth_test.go @@ -58,3 +58,25 @@ func testEncryptDecrypt(t *testing.T, ts authTest) { t.Fatalf("actual=%q expected=%q\n", actualOutput, ts.output) } } + +var parseTests = []struct{ + input string + output string +}{ + { + "Basic QmVjc3RzWVNrSlkzM1VzOTFrZ2w2cVB1Ykhvd1dYY3FhQnhxaHU3TnU2Xz06", + "BecstsYSkJY33Us91kgl6qPubHowWXcqaBxqhu7Nu6_=", + }, +} + +func TestParse(t *testing.T) { + for _, ts := range parseTests { + res, err := Parse(ts.input) + if err != nil { + t.Fatal(err) + } + if res != ts.output { + t.Fatalf("acutal=%s expected=%s\n", res, ts.output) + } + } +}