Colons are legal characters in passwords. Because of the way the BASIC strategy splits the BASIC username:password header, passwords containing a colon character fail. Per the following code from basic.js:

var scheme = parts[0]
, credentials = new Buffer(parts[1], 'base64').toString().split(':');

if (!/Basic/i.test(scheme)) { return this.fail(this._challenge()); }
if (credentials.length < 2) { return this.fail(400); }

var userid = credentials[0];
var password = credentials[1];

you can see that a split(':') on "myusername:my:password" will result in 3 parts instead of the expected 2. Better to use something like:

.split(':').slice(1).join(':')

or a regexp to get the password. Not sure that I can work up a patch before the new year, but reporting the issue now.

To work around this issue, I’m using encodeURIComponent on the user credentials before sending them along in the request. Perhaps it would be a good idea if passport-http would natively decode the credentials as URI components?

We've this issue, too. Is there a plan to fix this issue? The provided PR doesn't look that bad (I left a comment, though). So probably we've the chance to fix this (already very old) issue? :)

Any reason that this hasn't been merged/closed yet? This issue is now 4 years old 😮