From f92c8ee91d0d9fa8c07fb7348b7565080a163fea Mon Sep 17 00:00:00 2001
From: sigoden <sigoden@gmail.com>
Date: Fri, 19 Jan 2024 10:25:11 +0800
Subject: [PATCH] refactor: improve invalid auth (#356)

---
 src/auth.rs   |  4 ++--
 tests/auth.rs | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/auth.rs b/src/auth.rs
index 44dc345..7eb5945 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -109,11 +109,11 @@ impl AccessControl {
                     }
                     if check_auth(authorization, method.as_str(), &user, pass).is_some() {
                         return (Some(user), paths.find(path, !is_readonly_method(method)));
-                    } else {
-                        return (None, None);
                     }
                 }
             }
+
+            return (None, None);
         }
 
         if method == Method::OPTIONS {
diff --git a/tests/auth.rs b/tests/auth.rs
index 4b0750a..34a5d69 100644
--- a/tests/auth.rs
+++ b/tests/auth.rs
@@ -39,6 +39,25 @@ fn auth(#[case] server: TestServer, #[case] user: &str, #[case] pass: &str) -> R
     Ok(())
 }
 
+#[rstest]
+fn invalid_auth(
+    #[with(&["-a", "user:pass@/:rw", "-a", "@/", "-A"])] server: TestServer,
+) -> Result<(), Error> {
+    let resp = fetch!(b"GET", server.url())
+        .basic_auth("user", Some("-"))
+        .send()?;
+    assert_eq!(resp.status(), 401);
+    let resp = fetch!(b"GET", server.url())
+        .basic_auth("-", Some("pass"))
+        .send()?;
+    assert_eq!(resp.status(), 401);
+    let resp = fetch!(b"GET", server.url())
+        .header("Authorization", "Basic Og==")
+        .send()?;
+    assert_eq!(resp.status(), 401);
+    Ok(())
+}
+
 const HASHED_PASSWORD_AUTH: &str =  "user:$6$gQxZwKyWn/ZmWEA2$4uV7KKMnSUnET2BtWTj/9T5.Jq3h/MdkOlnIl5hdlTxDZ4MZKmJ.kl6C.NL9xnNPqC4lVHC1vuI0E5cLpTJX81@/:rw"; // user:pass
 
 #[rstest]