RFC 9110 defines the field value of the Authorization header as:
Authorization = credentials
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
which, according to RFC 5234 — ABNF, means there can be one or more spaces between the auth-scheme and token68.
3.6. Variable Repetition: *Rule
The operator "*" preceding an element indicates repetition. The full
form is:
<a>*<b>element
where <a> and <b> are optional decimal values, indicating at least
<a> and at most <b> occurrences of the element.
Default values are 0 and infinity so that *<element> allows any
number, including zero; 1*<element> requires at least one;
3*3<element> allows exactly 3; and 1*2<element> allows one or two.
|
// Parsing authorization header. |
|
parseAuthorization(header) { |
|
if (basicSchemeRegExp.test(header)) { |
|
let tokens = header.split(" "); |
|
return tokens[1]; |
|
} |
|
} |
Your parser assumes the 1*SP part to be a single space, , and fails to parse the valid credentials,
Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
erroneously returning "".
RFC 9110 defines the field value of the
Authorizationheader as:which, according to RFC 5234 — ABNF, means there can be one or more spaces between the
auth-schemeandtoken68.http-auth/src/auth/basic.js
Lines 64 to 70 in 05bb4d7
Your parser assumes the
1*SPpart to be a single space,credentials,erroneously returning
"".