BasicStrategy should not require not empty user-id and password
pbuyle opened this issue · comments
BasicStrategy requires non-empty user-id and password. But according to the specifications (http://tools.ietf.org/html/rfc1945#section-11.1), both the user-id and the password can be empty, only the ":" is required.
My use case is using Passport to authenticate a public OAuth2 client. Public client don't have a client secret. So they should not provide an empty password when authenticating using HTTP Basic Authentication.
In my application, I mokey-patch the BasicStrategy to implement this.
BasicStrategy.prototype.authenticate = function(req) {
var authorization = req.headers['authorization'];
if (!authorization) { return this.fail(this._challenge()); }
var parts = authorization.split(' ')
if (parts.length < 2) { return this.fail(400); }
var scheme = parts[0]
, credentials = new Buffer(parts[1], 'base64').toString().split(':');
if (!/Basic/i.test(scheme)) { return this.fail(this._challenge()); }
var userid = credentials[0];
var password = credentials[1];
var self = this;
function verified(err, user) {
if (err) { return self.error(err); }
if (!user) { return self.fail(self._challenge()); }
self.success(user);
}
if (self._passReqToCallback) {
this._verify(req, userid, password, verified);
} else {
this._verify(userid, password, verified);
}
}
I think this repo is no longer maintained by the creator
This is a comment from the author saying that he is taking up again all passport-related repos:
any updates on this one ?