swallow bad auth errors, fixes #17

2025-02-17 23:45:29 -05:00 · 2013-12-06 21:46:51 +04:00 · 2013-12-06 21:46:51 +04:00 · a257fc3962
commit a257fc3962
parent 6a295ac196
2 changed files with 21 additions and 8 deletions
--- a/lib/index.js
+++ b/lib/index.js
@ -174,9 +174,17 @@ module.exports = function(config_hash) {
 	app.put('/-/user/:argument/-rev/*', function(req, res, next) {
 		// can't put 'org.couchdb.user' in route address for some reason
 		if (req.params.argument.split(':')[0] !== 'org.couchdb.user') return next('route')
+
+		if (req.remoteUser == null) {
+			res.status(403)
+			return res.send({
+				error: 'bad username/password, access denied',
+			})
+		}
+
 		res.status(201)
 		return res.send({
-			ok: 'you are authenticated as "' + req.user + '"',
+			ok: 'you are authenticated as "' + req.remoteUser + '"',
 		})
 	})

--- a/lib/middleware.js
+++ b/lib/middleware.js
@ -39,14 +39,19 @@ module.exports.expect_json = function expect_json(req, res, next) {
 }

 module.exports.basic_auth = function basic_auth(callback) {
-	return function(req, res, next) {
+	return function(req, res, _next) {
+		function next(err) {
+			// uncomment this to reject users with bad auth headers
+			//return _next.apply(null, arguments)
+			
+			// swallow error, user remains unauthorized
+			return _next()
+		}
+
 		var authorization = req.headers.authorization

-		if (req.user) return next()
-		if (authorization == null) {
-			req.user = req.remoteUser = undefined
-			return next()
-		}
+		if (req.remoteUser != null) return next()
+		if (authorization == null) return next()

 		var parts = authorization.split(' ')

@ -68,7 +73,7 @@ module.exports.basic_auth = function basic_auth(callback) {
 		, pass = credentials.slice(index + 1)

 		if (callback(user, pass)) {
-			req.user = req.remoteUser = user
+			req.remoteUser = user
 			next()
 		} else {
 			next({