Merge pull request #1736 from btcpayserver/basic-auth-fix

fail auth on incorrect basic auth value
2025-02-22 14:22:40 +01:00 · 2020-07-13 18:03:26 +09:00 · 2020-07-13 18:03:26 +09:00 · 37b065ce6a
commit 37b065ce6a
parent dd0f8faf79 4b392ad70a
1 changed files with 16 additions and 5 deletions
--- a/BTCPayServer/Security/GreenField/BasicAuthenticationHandler.cs
+++ b/BTCPayServer/Security/GreenField/BasicAuthenticationHandler.cs
@ -39,11 +39,22 @@ namespace BTCPayServer.Security.GreenField

            if (authHeader == null || !authHeader.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
                return AuthenticateResult.NoResult();
-            var encodedUsernamePassword = authHeader.Split(' ', 2, StringSplitOptions.RemoveEmptyEntries)[1]?.Trim();
+            string password;
+            string username;
+            try
+            {
+                var encodedUsernamePassword =
+                    authHeader.Split(' ', 2, StringSplitOptions.RemoveEmptyEntries)[1]?.Trim();
                var decodedUsernamePassword =
                    Encoding.UTF8.GetString(Convert.FromBase64String(encodedUsernamePassword)).Split(':');
-            var username = decodedUsernamePassword[0];
-            var password = decodedUsernamePassword[1];
+                username = decodedUsernamePassword[0];
+                password = decodedUsernamePassword[1];
+            }
+            catch (Exception)
+            {
+                return AuthenticateResult.Fail(
+                    "Basic authentication header was not in a correct format. (username:password encoded in base64)");
+            }

            var result = await _signInManager.PasswordSignInAsync(username, password, true, true);
            if (!result.Succeeded)