0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-01-13 22:51:08 -05:00

basicauth: Don't remove Authorization header on good auth (fixes #1508)

This commit is contained in:
Matthew Holt 2017-03-10 16:45:36 -07:00
parent 5a41e8bc1a
commit 6aa0e30af3
2 changed files with 5 additions and 9 deletions

View file

@ -62,13 +62,8 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
// by this point, authentication was successful // by this point, authentication was successful
isAuthenticated = true isAuthenticated = true
// remove credentials from request to avoid leaking upstream // let upstream middleware (e.g. fastcgi and cgi) know about authenticated user
r.Header.Del("Authorization") r = r.WithContext(context.WithValue(r.Context(), caddy.CtxKey("remote_user"), username))
// let upstream middleware (e.g. fastcgi and cgi) know about authenticated
// user; this replaces the request with a wrapped instance
r = r.WithContext(context.WithValue(r.Context(),
caddy.CtxKey("remote_user"), username))
} }
} }

View file

@ -92,8 +92,9 @@ func TestBasicAuth(t *testing.T) {
t.Errorf("Test %d: response should have a 'Www-Authenticate' header", i) t.Errorf("Test %d: response should have a 'Www-Authenticate' header", i)
} }
} else { } else {
if got, want := req.Header.Get("Authorization"), ""; got != want { if req.Header.Get("Authorization") == "" {
t.Errorf("Test %d: Expected Authorization header to be stripped from request after successful authentication, but is: %s", i, got) // see issue #1508: https://github.com/mholt/caddy/issues/1508
t.Errorf("Test %d: Expected Authorization header to be retained after successful auth, but was empty", i)
} }
} }
} }