fix: basic auth invalid base64 string

Welling Guzman · Welling Guzman · commit 1ed89e707da6 · 2022-05-26T12:02:45.000+02:00
fixes #2170
diff --git a/middleware/basic_auth.go b/middleware/basic_auth.go
@@ -74,10 +74,9 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
 			l := len(basic)
 
 			if len(auth) > l+1 && strings.EqualFold(auth[:l], basic) {
-				b, err := base64.StdEncoding.DecodeString(auth[l+1:])
-				if err != nil {
-					return err
-				}
+				// Invalid base64 shouldn't be treated as error
+				// instead should be treated as invalid client input
+				b, _ := base64.StdEncoding.DecodeString(auth[l+1:])
 				cred := string(b)
 				for i := 0; i < len(cred); i++ {
 					if cred[i] == ':' {
diff --git a/middleware/basic_auth_test.go b/middleware/basic_auth_test.go
@@ -58,6 +58,13 @@ func TestBasicAuth(t *testing.T) {
 	assert.Equal(http.StatusUnauthorized, he.Code)
 	assert.Equal(basic+` realm="someRealm"`, res.Header().Get(echo.HeaderWWWAuthenticate))
 
+	// Invalid base64 string
+	auth = basic + " invalidString"
+	req.Header.Set(echo.HeaderAuthorization, auth)
+	he = h(c).(*echo.HTTPError)
+	assert.Equal(http.StatusUnauthorized, he.Code)
+	assert.Equal(basic+` realm="someRealm"`, res.Header().Get(echo.HeaderWWWAuthenticate))
+
 	// Missing Authorization header
 	req.Header.Del(echo.HeaderAuthorization)
 	he = h(c).(*echo.HTTPError)
