fix: reject colonless Basic-auth credentials (RFC 7617 compliance)

[francisjohnjohnston-web]

Bug

requireBasicAuth silently authenticates colonless credentials.

When a credential string has no : separator, indexOf(":") returns -1. The subsequent slices become:

• authDecoded.slice(0, -1) → trims the last character (e.g. "admins" → "admin")
• authDecoded.slice(0) → the full string ("admins")

So the colonless credential "admins" mis-parses into username="admin" / password="admins". If the server has { username: "admin", password: "admins" } configured, the malformed credential authenticates successfully.

Fix

Reject immediately when colonIndex === -1. RFC 7617 §2 defines the format as user-id ":" password; a missing colon is an unconditionally invalid credential.

const colonIndex = authDecoded.indexOf(":");
if (colonIndex === -1) {
  throw authFailed(event, opts?.realm);   // ← added
}

Test

Added a regression test that sends Basic base64("admins") against a server configured with { username: "admin", password: "admins" }. Before this fix the test returned 200; after it returns 401.

All 36 existing auth tests pass.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced Basic authentication validation to strictly enforce proper credential formatting standards, preventing potential misinterpretation of malformed authentication requests.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c66fa485-b793-46a7-aa11-84ea9bcd7f36

📥 Commits

Reviewing files that changed from the base of the PR and between 84244b4 and 68ba086.

📒 Files selected for processing (2)

• src/utils/auth.ts
• test/auth.test.ts

---

📝 Walkthrough

Walkthrough

The pull request adds explicit validation to the Basic authentication handler to reject credentials lacking the required RFC 7617 colon delimiter. The implementation adds an early check in requireBasicAuth, and a regression test verifies that colonless credentials are correctly rejected with a 401 response.

Changes

Basic Auth Colon Delimiter Validation

Layer / File(s)	Summary
Colon delimiter validation and test src/utils/auth.ts, test/auth.test.ts	requireBasicAuth adds an explicit check rejecting decoded Basic credentials that lack the required colon separator; a test case confirms colonless inputs (e.g., "admins") are rejected with status 401 rather than mis-parsed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• h3js/h3#1283: Prior changes to requireBasicAuth validation and error handling for malformed Basic auth credentials.

Poem

🐰 A colon was lost in the auth domain,
So strict validation took the reign!
Now user:pass must be plain,
Coronless creds? They're in vain! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing rejection of colonless Basic-auth credentials to comply with RFC 7617, which directly matches the core fix in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}