Basic Auth is broken when using non-ASCII characters

[EvgenyOrekhov]

username: Ремонтник
password: Ремонтник

Swagger-UI produces the following header

Authorization: Basic IDU8Pj1CPTg6OiA1PD49Qj04Og==

But it's wrong. The correct header for the above credentials is

Authorization: Basic 0KDQtdC80L7QvdGC0L3QuNC6OtCg0LXQvNC+0L3RgtC90LjQug==

Swagger-UI version: 2.2.6

Update: this happens only when I use Swagger-UI's "Authorize" button, this does not happen when I use browser's native Basic Auth prompt.

[webron]

Yeah, looks like there's an issue with the character encoding.

[bobince]

Looks like swagger-ui uses btoa to encode to base64. The native browser btoa function treats every input character as a byte with the same number, and throws for any character outside of the range 0–255 (which maps to ISO-8859-1). However swagger-ui supplies its own implementation of btoa that silently takes the lowest 8 bits of each code point and discards the rest, resulting in the mangled IDU8Pj1C... token.

If you wanted to send credentials in UTF-8 instead of ISO-8859-1, which would be necessary to send Cyrillic characters, you could change the line in btoa:

buffer = new Buffer(str.toString(), 'binary');

to

buffer = new Buffer(str.toString(), 'utf-8');

although as this behaviour is no longer btoa-compatible you would probably want to rename the function.

Basic authentication character encoding is a long-running source of frustration on the web in general. Until recently, the correct encoding was completely undefined; there is little agreement between browsers and servers on what the encoding should be. RFC 7617 finally extends Basic Auth to support non-ASCII characters with UTF-8, but until that's widely implemented it's not at all clear what encoding a service wants.

Changing btoa as above will work for servers that want UTF-8 but break if there's anything that wants ISO-8859-1 (not to mention all the other locale-specific encodings IE can send). There might have to be an option to specific which encoding is desired?

[fehguy]

eww I wasn't aware of these issues with basic auth. Maybe this is how we convince people to stop using it :)

We do need to support this on the node server as well. Perhaps you have time to submit a test and/or a fix as a PR and we can get it in?

[webron]

@bodnia this seems to be the case with 3.X as well. Can you look into it?

[bodnia]

@EvgenyOrekhov the fix is in latest master, could you please check

[EvgenyOrekhov]

@bodnia I tried, but I wasn't able to because of #2855.

[EvgenyOrekhov]

@bodnia It works, thanks!

[Anastasiyaaa]

It doesn't seem to work for version 3.51 when using SwaggerUIBundle

[hkosova]

@Anastasiyaaa please open a new issue and fill in the issue template.