Prevents authentication with empty user/pass if both are empty on opts

Fixes #12
goji · Dec 21, 2015 · a731989 · a731989
1 parent 41dcb55
commit a731989
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/basic_auth.go b/basic_auth.go
@@ -48,6 +48,11 @@ func (b basicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 func (b *basicAuth) authenticate(r *http.Request) bool {
 	const basicScheme string = "Basic "
 
+	// Prevent authentication with empty credentials if User and Password is not set
+	if b.opts.User == "" || b.opts.Password == "" {
+		return false
+	}
+
 	// Confirm the request is sending Basic Authentication credentials.
 	auth := r.Header.Get("Authorization")
 	if !strings.HasPrefix(auth, basicScheme) {

diff --git a/basic_auth_test.go b/basic_auth_test.go
@@ -42,3 +42,11 @@ func TestBasicAuthAuthenticate(t *testing.T) {
 		t.Fatal("Failed on correct credentials")
 	}
 }
+
+func TestBasicAuthAutenticateWithouUserAndPass(t *testing.T) {
+	b := basicAuth{opts: AuthOptions{}}
+
+	if b.authenticate(nil) {
+		t.Fatal("Should not authenticate if user or pass are not set on opts")
+	}
+}