fix: fix basic auth middleware (#227)

honojs · May 14, 2022 · 62b9238 · 62b9238
1 parent d3a7df3
commit 62b9238
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 8 deletions.
diff --git a/src/middleware/basic-auth/index.test.ts b/src/middleware/basic-auth/index.test.ts
@@ -62,11 +62,18 @@ describe('Basic Auth by Middleware', () => {
     })
   )
 
+  app.use('/nested/*', async (c, next) => {
+    const auth = basicAuth({ username: username, password: password })
+    await auth(c, next)
+  })
+
   app.get('/auth/*', () => new Response('auth'))
   app.get('/auth-unicode/*', () => new Response('auth'))
   app.get('/auth-multi/*', () => new Response('auth'))
   app.get('/auth-override-func/*', () => new Response('auth'))
 
+  app.get('/nested/*', () => new Response('nested'))
+
   it('Should not authorize', async () => {
     const req = new Request('http://localhost/auth/a')
     const res = await app.request(req)
@@ -126,4 +133,26 @@ describe('Basic Auth by Middleware', () => {
     expect(res.status).toBe(200)
     expect(await res.text()).toBe('auth')
   })
+
+  it('Should authorize - nested', async () => {
+    const credential = Buffer.from(username + ':' + password).toString('base64')
+
+    const req = new Request('http://localhost/nested')
+    req.headers.set('Authorization', `Basic ${credential}`)
+    const res = await app.request(req)
+    expect(res).not.toBeNull()
+    expect(res.status).toBe(200)
+    expect(await res.text()).toBe('nested')
+  })
+
+  it('Should not authorize - nested', async () => {
+    const credential = Buffer.from('foo' + ':' + 'bar').toString('base64')
+
+    const req = new Request('http://localhost/nested')
+    req.headers.set('Authorization', `Basic ${credential}`)
+    const res = await app.request(req)
+    expect(res).not.toBeNull()
+    expect(res.status).toBe(401)
+    expect(await res.text()).toBe('Unauthorized')
+  })
 })
diff --git a/src/middleware/basic-auth/index.ts b/src/middleware/basic-auth/index.ts
@@ -48,7 +48,6 @@ export const basicAuth = (
 
   return async (ctx: Context, next: Next) => {
     const requestUser = auth(ctx.req)
-
     if (requestUser) {
       for (const user of users) {
         const usernameEqual = await timingSafeEqual(
@@ -64,15 +63,15 @@ export const basicAuth = (
         if (usernameEqual && passwordEqual) {
           // Authorized OK
           await next()
+          return
         }
       }
-    } else {
-      ctx.res = new Response('Unauthorized', {
-        status: 401,
-        headers: {
-          'WWW-Authenticate': 'Basic realm="' + options.realm.replace(/"/g, '\\"') + '"',
-        },
-      })
     }
+    ctx.res = new Response('Unauthorized', {
+      status: 401,
+      headers: {
+        'WWW-Authenticate': 'Basic realm="' + options.realm.replace(/"/g, '\\"') + '"',
+      },
+    })
   }
 }