In HTTP Basic Auth, although a username may not contain a colon, a password may. At this point, Kitura authentication fails when supplying a password containing a colon.

The lines in question seem to be here:
https://github.com/IBM-Swift/Kitura-CredentialsHTTP/blob/660c43cf11da63561e45dd14d805c34041bd73fa/Sources/CredentialsHTTP/CredentialsHTTPBasic.swift#L110-L117

The password is set to be the second item in the components (after separating by colons), but actually, the password should be all items after the first, joined by colons. So...

user:pass:with:some:colons

User is item 0. Pass is 1...4 joined by : characters, namely pass:with:some:colons.

What's the recommended way to authenticate for specific resources using HTTP Basic Auth?

For example, suppose I have an endpoint to POST a message for a certain conversation:

router.post("/messages") { (request, response, next) in
    // Extract conversation UUID from request body...
    let uuid = UUID_FROM_BODY
    // Post the message for this conversation, etc...
    // Respond to client
    response.status(.accepted) 
}

But only certain users are authorized to POST for certain conversations. A UserProfileLoader allows me to check for the existence of a user and confirm their password, but how can I confirm that they have access to a specific resource? E.g. in the example above, I would need to pass the conversation UUID to a UserProfileLoader function in addition to the userId.

I'm working on setting up HTTP Basic Auth and I think I may have found a nasty bug. When I go to the OpenAPI UI and access one of the protected routes, I get the username and password prompt as expected. When I enter an incorrect username and password, the prompt reappears so I can try again with different credentials (expected). The issue is that if I hit the cancel button on the prompt, the server returns a 401 HTTP Status code (expected), but also returns the data that they are not authorized to access (unexpected).

Here is how I setup the Basic Auth:

func initializeBasicAuth(app: App) {
    let credentials = Credentials()
    
    let basicCredentials = CredentialsHTTPBasic(verifyPassword: { username, password, callback in
        UserAuth.authEntry(username: username, onCompletion: { (authMatches, error) in
            if let entries = authMatches, let userAuth = entries.first {
                
                // Check Password
                let saltedPassword = "\(password)\(userAuth.salt)"
                let hashedPassword = hashPassword(saltedPassword)
                
                if hashedPassword == userAuth.hashedPassword {
                    let userProfile = UserProfile(id: userAuth.username,
                                                  displayName: username,
                                                  provider: "HTTPBasic")
                    callback(userProfile)
                } else {
                    callback(nil)
                }
            } else {
                callback(nil)
            }
        })
    })
    
    credentials.register(plugin: basicCredentials)
    app.router.get("/entries", middleware: credentials)
    app.router.put("/entries", middleware: credentials)
    app.router.delete("/entries", middleware: credentials)
}

So if I use the OpenAPI UI to perform a GET request on the /entries endpoint, I still get the JSON data back in the body of the response along with the 401 HTTP Status code in the headers.

If the Authorisation Header is not correct the whole app is crashing. As this is a server add-on, it should fail silently and not crash.

So there should be a check on whether authorizationComponents array has at least 2 items, before accessing the items.

Hi master,
I hava a simple question about the login page.
Can I customize the login page and how?
example: the user name placeholder instead of email.
Thanks.

Hello,
I want add HTTP basic auth to my project but when I add CredentialsHTTP package I got error during building the package - http://prntscr.com/ihtfu7

Also I found it's a common issues:
Kitura/BlueCryptor#27
Kitura/BlueCryptor#29

With the same list of packages, but without CredentialsHTTP everything is built fine http://prntscr.com/ihthyi
Please help me with this issue.

Thanks in advance,
Oleksandr

How do i resolve this issue?
thanks

E.g. update Package.swift

Issue descriptioon

VerifyPassword is currently defined as follows (with a nonescaping closure for UserProfile):
public typealias VerifyPassword = (String, String, (UserProfile?)->Void) -> Void

However, when using e.g. Kuery for doing DB lookups to verify passwords from a database, DB query functions are escaping. This results in code like the following example:

let basicCredentials = CredentialsHTTPBasic( verifyPassword: { userID, password, callback in
    let query = Select(users.email, users.password, from: users)
        .where(users.email == userID)

    connection.execute(query: query) { result in
        if let rows = result.asRows {
            if let truePassword = rows[0]["password"] as? String {
                if truePassword == password {
                    callback(UserProfile(id: userID, displayName: userID, provider: "HTTPBasic-Kitura"))
                    return
                }
            }
        callback(nil)
    }
})

In this case the Swift Complier will generate an error:

Closure use of non-escaping parameter 'callback' may allow it to escape

Suggested fix

Change VerifyPassword typealias to use an explicitly escaping closure:

public typealias VerifyPassword = (String, String, @escaping(UserProfile?)->Void) -> Void

It doesn't compile

I stabled upon this issue when added CredentialsHTTP as dependency to my Kitura project. Basically solution to get this working is same as proposed on main Kitura project in Troubleshooting section
I think this should be added to README.md

Troubleshooting
Seeing error ld: library not found for -lCHttpParser for architecture x86_64 on build:

To solve this, go to your build settings and add $SRCROOT/.build/debug to the Library Search Paths for the CredentialsHTTP targets.