BASIC strategy does not support passwords that contain colons

[blevine]

Colons are legal characters in passwords. Because of the way the BASIC strategy splits the BASIC username:password header, passwords containing a colon character fail. Per the following code from basic.js:

var scheme = parts[0]
, credentials = new Buffer(parts[1], 'base64').toString().split(':');

if (!/Basic/i.test(scheme)) { return this.fail(this._challenge()); }
if (credentials.length < 2) { return this.fail(400); }

var userid = credentials[0];
var password = credentials[1];

you can see that a split(':') on "myusername:my:password" will result in 3 parts instead of the expected 2. Better to use something like:

.split(':').slice(1).join(':')

or a regexp to get the password. Not sure that I can work up a patch before the new year, but reporting the issue now.

[OliverJAsh]

To work around this issue, I’m using encodeURIComponent on the user credentials before sending them along in the request. Perhaps it would be a good idea if passport-http would natively decode the credentials as URI components?

[FlorianSW]

We've this issue, too. Is there a plan to fix this issue? The provided PR doesn't look that bad (I left a comment, though). So probably we've the chance to fix this (already very old) issue? :)

[saborrie]

Any reason that this hasn't been merged/closed yet? This issue is now 4 years old 😮