Got: The `authorization` header is improperly encoded

Created on 21 Apr 2020 · 7Comments · Source: sindresorhus/got

Describe the bug

Actual behavior

When I use the username/password with got, It seems that the combo 'username:password' is encoded with encodeURI() before to be encode in base64 for the basic auth. This first encoding is not necessary due to the base64 encoding and brings problems. So when the encodeURI() change a value like '@' to '%40', the basic authentification doesn't work.

Expected behavior

Just encode the combo 'username:password' with base64 encoding.

Code to reproduce

const got = require('got');

(async () => {
  const response = await got.head("http://example.com/", {username: "user@", password: "password@"});
  console.info("Response:", response.client._httpMessage._header);
}) ();

We see that the Authorization header is invalid

Checklist

[X] I have read the documentation.
[X] I have tried my code with the latest version of Node.js and Got.

bug external nodejs bug

Source

bruno-xo7

👍5 👀1

Most helpful comment

also nodejs/node#31450

The both issues are still open in Nodejs.

I did this workaround on my side until Nodejs fixes the issue:

  const headers = {
    "Authorization": "Basic " + Buffer.from(`user@:password@`).toString("base64")
  };
  await got(encodeURI("http://example.com/"), { headers });

I built the Authorization header instead of filling username and password members of the options objects.

If Nodejs only fixes it on the new version, maybe Got can fix the issue on their side to avoid the bug on old Nodejs versions.

bruno-xo7 on 22 Apr 2020

👍4

All 7 comments

It's a Node.js issue:

const https = require('https');
const getStream = require('get-stream');

const url = new URL('https://httpbin.org/anything');
url.username = 'user@';
url.password = 'password';

https.get(url, async response => {
    const body = await getStream(response);
    console.log(JSON.parse(body));
});

I'm not sure whether it's a bug or valid behavior...

szmarczak on 21 Apr 2020

Reference: https://tools.ietf.org/html/rfc2617 (haven't looked at it yet)

szmarczak on 21 Apr 2020

Took a quick look and found this:

      user-pass   = userid ":" password
      userid      = *<TEXT excluding ":">
      password    = *TEXT

szmarczak on 21 Apr 2020

https://github.com/nodejs/node/issues/31439

szmarczak on 21 Apr 2020

also nodejs/node#31450

The both issues are still open in Nodejs.

I did this workaround on my side until Nodejs fixes the issue:

  const headers = {
    "Authorization": "Basic " + Buffer.from(`user@:password@`).toString("base64")
  };
  await got(encodeURI("http://example.com/"), { headers });

I built the Authorization header instead of filling username and password members of the options objects.

If Nodejs only fixes it on the new version, maybe Got can fix the issue on their side to avoid the bug on old Nodejs versions.

bruno-xo7 on 22 Apr 2020

👍4

maybe Got can fix the issue on their side

We could implement a workaround, but it's not the proper solution. The bug is not a big one, so I'd rather wait until it's fixed on Node.js side. But if you really need this badly, you can send a PR :)

szmarczak on 22 Apr 2020

👍2

@szmarczak Let the library encode it properly, internally. I feel this is a major issue since the library has the options.username and options.password option.