Infrastructure/caddy
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
Code Issues Activity

basicauth: Don't remove Authorization header on good auth (fixes #1508)

Browse source
This commit is contained in:
Matthew Holt 2017-03-10 16:45:36 -07:00
parent 5a41e8bc1a
commit 6aa0e30af3
2 changed files with 5 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
caddyhttp/basicauth/basicauth.go
View file

@ -62,13 +62,8 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
// by this point, authentication was successful // by this point, authentication was successful
isAuthenticated = true isAuthenticated = true
// remove credentials from request to avoid leaking upstream // let upstream middleware (e.g. fastcgi and cgi) know about authenticated user
r.Header.Del("Authorization") r = r.WithContext(context.WithValue(r.Context(), caddy.CtxKey("remote_user"), username))
// let upstream middleware (e.g. fastcgi and cgi) know about authenticated
// user; this replaces the request with a wrapped instance
r = r.WithContext(context.WithValue(r.Context(),
caddy.CtxKey("remote_user"), username))
} }
} }

5
caddyhttp/basicauth/basicauth_test.go
View file

@ -92,8 +92,9 @@ func TestBasicAuth(t *testing.T) {
t.Errorf("Test %d: response should have a 'Www-Authenticate' header", i) t.Errorf("Test %d: response should have a 'Www-Authenticate' header", i)
} }
} else { } else {
if got, want := req.Header.Get("Authorization"), ""; got != want { if req.Header.Get("Authorization") == "" {
t.Errorf("Test %d: Expected Authorization header to be stripped from request after successful authentication, but is: %s", i, got) // see issue #1508: https://github.com/mholt/caddy/issues/1508
t.Errorf("Test %d: Expected Authorization header to be retained after successful auth, but was empty", i)
} }
} }
} }