From 202931f399c572947cc62df33829967eed4bfeaf Mon Sep 17 00:00:00 2001
From: Florian Schmidt <florian.schmidt.welzow@t-online.de>
Date: Thu, 6 Jul 2017 18:10:52 +0200
Subject: [PATCH] Basic: Fix auth when password contains colon

A colon is a valid character in the password, however currently the
chars including and after the colon are stripped of the password which
leads in false-positives (user can't login even if the password is
correct). This commit fixes that.

Fixes #20
---
 lib/passport-http/strategies/basic.js |  4 +--
 test/strategies/basic-test.js         | 36 +++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/lib/passport-http/strategies/basic.js b/lib/passport-http/strategies/basic.js
index a1f251c..9a92698 100644
--- a/lib/passport-http/strategies/basic.js
+++ b/lib/passport-http/strategies/basic.js
@@ -77,8 +77,8 @@ BasicStrategy.prototype.authenticate = function(req) {
   if (!/Basic/i.test(scheme)) { return this.fail(this._challenge()); }
   if (credentials.length < 2) { return this.fail(400); }
   
-  var userid = credentials[0];
-  var password = credentials[1];
+  var userid = credentials.shift();
+  var password = credentials.join(':');
   if (!userid || !password) {
     return this.fail(this._challenge());
   }
diff --git a/test/strategies/basic-test.js b/test/strategies/basic-test.js
index 6a5b453..338dac1 100644
--- a/test/strategies/basic-test.js
+++ b/test/strategies/basic-test.js
@@ -52,6 +52,42 @@ vows.describe('BasicStrategy').addBatch({
     },
   },
 
+  'strategy handling a request with a colon in password': {
+    topic: function() {
+      var strategy = new BasicStrategy(function(userid, password, done) {
+        done(null, { username: userid, password: password });
+      });
+      return strategy;
+    },
+
+    'after augmenting with actions': {
+      topic: function(strategy) {
+        var self = this;
+        var req = {};
+        strategy.success = function(user) {
+          self.callback(null, user);
+        }
+        strategy.fail = function() {
+          self.callback(new Error('should not be called'));
+        }
+
+        req.headers = {};
+        req.headers.authorization = 'Basic VGVzdHVzZXI6MTIzOi4uLg==';
+        process.nextTick(function () {
+          strategy.authenticate(req);
+        });
+      },
+
+      'should not generate an error' : function(err, user) {
+        assert.isNull(err);
+      },
+      'should authenticate' : function(err, user) {
+        assert.equal(user.username, 'Testuser');
+        assert.equal(user.password, '123:...');
+      },
+    },
+  },
+
   'strategy handling a request that is not verified': {
     topic: function() {
       var strategy = new BasicStrategy(function(userid, password, done) {