Fix basic auth user-pass string handling (#530)

Cycloctane · web-flow · commit d77bd568dd08 · 2025-08-18T19:18:46.000+01:00
diff --git a/aiohttp_remotes/basic_auth.py b/aiohttp_remotes/basic_auth.py
@@ -51,7 +51,7 @@ async def middleware(
             except (UnicodeDecodeError, UnicodeEncodeError, binascii.Error):
                 return await self.raise_error(request)
 
-            credentials = auth_decoded.split(":")
+            credentials = auth_decoded.split(":", maxsplit=1)
 
             if len(credentials) != 2:
                 return await self.raise_error(request)
diff --git a/tests/test_basic_auth.py b/tests/test_basic_auth.py
@@ -1,18 +1,21 @@
+import pytest
+
 import aiohttp
 from aiohttp import web
 from aiohttp.pytest_plugin import AiohttpClient
 from aiohttp_remotes import BasicAuth, setup as _setup
 
 
-async def test_basic_auth_ok(aiohttp_client: AiohttpClient) -> None:
+@pytest.mark.parametrize("password", ["pass", "pass:pass:"])
+async def test_basic_auth_ok(aiohttp_client: AiohttpClient, password: str) -> None:
     async def handler(request: web.Request) -> web.Response:
         return web.Response()
 
     app = web.Application()
     app.router.add_get("/", handler)
-    await _setup(app, BasicAuth("user", "pass", "realm"))
+    await _setup(app, BasicAuth("user", password, "realm"))
     cl = await aiohttp_client(app)
-    resp = await cl.get("/", auth=aiohttp.BasicAuth("user", "pass"))
+    resp = await cl.get("/", auth=aiohttp.BasicAuth("user", password))
     assert resp.status == 200
 
 
@@ -55,19 +58,6 @@ async def handler(request: web.Request) -> web.Response:
     assert resp.headers["WWW-Authenticate"] == "Basic realm=realm"
 
 
-async def test_basic_auth_malformed_req2(aiohttp_client: AiohttpClient) -> None:
-    async def handler(request: web.Request) -> web.Response:
-        return web.Response()
-
-    app = web.Application()
-    app.router.add_get("/", handler)
-    await _setup(app, BasicAuth("user", "pass", "realm"))
-    cl = await aiohttp_client(app)
-    resp = await cl.get("/", headers={"Authorization": "Basic nonbase64"})
-    assert resp.status == 401
-    assert resp.headers["WWW-Authenticate"] == "Basic realm=realm"
-
-
 async def test_basic_auth_white_path(aiohttp_client: AiohttpClient) -> None:
     async def handler(request: web.Request) -> web.Response:
         return web.Response()
