fix: basic auth returns 400 on invalid base64 string

Welling Guzman · Welling Guzman · commit 9bd1c7af4894 · 2022-05-26T13:02:50.000+02:00
diff --git a/middleware/basic_auth.go b/middleware/basic_auth.go
@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"strconv"
 	"strings"
+	"net/http"
 
 	"github.com/labstack/echo/v4"
 )
@@ -76,7 +77,11 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
 			if len(auth) > l+1 && strings.EqualFold(auth[:l], basic) {
 				// Invalid base64 shouldn't be treated as error
 				// instead should be treated as invalid client input
-				b, _ := base64.StdEncoding.DecodeString(auth[l+1:])
+				b, err := base64.StdEncoding.DecodeString(auth[l+1:])
+				if err != nil {
+					return echo.NewHTTPError(http.StatusBadRequest).SetInternal(err)
+				}
+
 				cred := string(b)
 				for i := 0; i < len(cred); i++ {
 					if cred[i] == ':' {
diff --git a/middleware/basic_auth_test.go b/middleware/basic_auth_test.go
@@ -62,8 +62,7 @@ func TestBasicAuth(t *testing.T) {
 	auth = basic + " invalidString"
 	req.Header.Set(echo.HeaderAuthorization, auth)
 	he = h(c).(*echo.HTTPError)
-	assert.Equal(http.StatusUnauthorized, he.Code)
-	assert.Equal(basic+` realm="someRealm"`, res.Header().Get(echo.HeaderWWWAuthenticate))
+	assert.Equal(http.StatusBadRequest, he.Code)
 
 	// Missing Authorization header
 	req.Header.Del(echo.HeaderAuthorization)
