You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (go version)?
1.8
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (go env)?
amd64 linux
What did you do?
Although RFC 2617 section 2 seems to specify that a basic auth header should be in the format "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==", with the first letter of "basic" capitalized, this is not explicitly stated.
parseBasicAuth() requires "Basic". While this may be correct, many clients send "BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==". This was changed in Rails in 2015, for instance.
That issue incorrectly uses RFC 2617 section 1 as justification, but as section 2 does not explicitly require Basic this seems like something that should be changed in order to offer the broadest compatibility with clients.
You state that rails/rails#21199 "incorrectly uses RFC 2617 section 1 as justification"; I would argue that the justification is entirely correct. RFC 2617 describes the framework of an authentication method and two specific schemes that use the framework . Since the framework definition in section 1.2 says it "uses an extensible, case-insensitive token to identify the authentication scheme", an individual scheme cannot change this and treat the token as case sensitive, nor does each defined scheme need to specify that the token is case insensitive.
gopherbot
removed
the
NeedsDecision
Feedback is required from experts, contributors, and/or the community before a change can be made.
label
May 4, 2018
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version
)?1.8
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?amd64 linux
What did you do?
Although RFC 2617 section 2 seems to specify that a basic auth header should be in the format "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==", with the first letter of "basic" capitalized, this is not explicitly stated.
parseBasicAuth()
requires "Basic". While this may be correct, many clients send"BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
. This was changed in Rails in 2015, for instance.That issue incorrectly uses RFC 2617 section 1 as justification, but as section 2 does not explicitly require
Basic
this seems like something that should be changed in order to offer the broadest compatibility with clients.Playground example
What did you expect to see?
With
BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==
,r.BasicAuth()
returns"Aladdin"
,"open sesame"
,true
What did you see instead?
With
BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==
,r.BasicAuth()
returns""
,""
,false
The text was updated successfully, but these errors were encountered: