From c500ce7accef17ab6dc78af6e0e5eb39de5e7168 Mon Sep 17 00:00:00 2001
From: sigoden <sigoden@gmail.com>
Date: Fri, 6 Sep 2024 21:22:28 +0800
Subject: [PATCH] fix: auth failed if password contains `:` (#449)

---
 README.md     |  3 +--
 src/auth.rs   |  8 ++++----
 tests/auth.rs | 13 +++++++------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 0982c2f..1456c1d 100644
--- a/README.md
+++ b/README.md
@@ -247,8 +247,7 @@ DUFS supports the use of sha-512 hashed password.
 Create hashed password
 
 ```
-$ mkpasswd  -m sha-512 -s
-Password: 123456 
+$ mkpasswd -m sha-512 123456
 $6$tWMB51u6Kb2ui3wd$5gVHP92V9kZcMwQeKTjyTRgySsYJu471Jb1I6iHQ8iZ6s07GgCIO69KcPBRuwPE5tDq05xMAzye0NxVKuJdYs/
 ```
 
diff --git a/src/auth.rs b/src/auth.rs
index 878dc30..87c9388 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -307,17 +307,17 @@ pub fn check_auth(
 ) -> Option<()> {
     if let Some(value) = strip_prefix(authorization.as_bytes(), b"Basic ") {
         let value: Vec<u8> = STANDARD.decode(value).ok()?;
-        let parts: Vec<&str> = std::str::from_utf8(&value).ok()?.split(':').collect();
+        let (user, pass) = std::str::from_utf8(&value).ok()?.split_once(':')?;
 
-        if parts[0] != auth_user {
+        if user != auth_user {
             return None;
         }
 
         if auth_pass.starts_with("$6$") {
-            if let Ok(()) = sha_crypt::sha512_check(parts[1], auth_pass) {
+            if let Ok(()) = sha_crypt::sha512_check(pass, auth_pass) {
                 return Some(());
             }
-        } else if parts[1] == auth_pass {
+        } else if pass == auth_pass {
             return Some(());
         }
 
diff --git a/tests/auth.rs b/tests/auth.rs
index 535ecb5..00a5205 100644
--- a/tests/auth.rs
+++ b/tests/auth.rs
@@ -57,17 +57,18 @@ fn invalid_auth(
     Ok(())
 }
 
-const HASHED_PASSWORD_AUTH: &str =  "user:$6$gQxZwKyWn/ZmWEA2$4uV7KKMnSUnET2BtWTj/9T5.Jq3h/MdkOlnIl5hdlTxDZ4MZKmJ.kl6C.NL9xnNPqC4lVHC1vuI0E5cLpTJX81@/:rw"; // user:pass
-
 #[rstest]
+#[case(server(&["--auth", "user:$6$gQxZwKyWn/ZmWEA2$4uV7KKMnSUnET2BtWTj/9T5.Jq3h/MdkOlnIl5hdlTxDZ4MZKmJ.kl6C.NL9xnNPqC4lVHC1vuI0E5cLpTJX81@/:rw", "-A"]), "user", "pass")]
+#[case(server(&["--auth", "user:$6$YV1J6OHZAAgbzCbS$V55ZEgvJ6JFdz1nLO4AD696PRHAJYhfQf.Gy2HafrCz5itnbgNTtTgfUSqZrt4BJ7FcpRfSt/QZzAan68pido0@/:rw", "-A"]), "user", "pa:ss@1")]
 fn auth_hashed_password(
-    #[with(&["--auth", HASHED_PASSWORD_AUTH, "-A"])] server: TestServer,
+    #[case] server: TestServer,
+    #[case] user: &str,
+    #[case] pass: &str,
 ) -> Result<(), Error> {
     let url = format!("{}file1", server.url());
     let resp = fetch!(b"PUT", &url).body(b"abc".to_vec()).send()?;
     assert_eq!(resp.status(), 401);
-    if let Err(err) =
-        send_with_digest_auth(fetch!(b"PUT", &url).body(b"abc".to_vec()), "user", "pass")
+    if let Err(err) = send_with_digest_auth(fetch!(b"PUT", &url).body(b"abc".to_vec()), user, pass)
     {
         assert_eq!(
             err.to_string(),
@@ -76,7 +77,7 @@ fn auth_hashed_password(
     }
     let resp = fetch!(b"PUT", &url)
         .body(b"abc".to_vec())
-        .basic_auth("user", Some("pass"))
+        .basic_auth(user, Some(pass))
         .send()?;
     assert_eq!(resp.status(), 201);
     Ok(())