Used application/json for session POST

ricellis · ricellis · commit 6483b29da107 · 2019-12-03T15:13:38.000Z
Modified CookieTokenManager to use JSON.
Decoded credentials from URL before passing to CookieTokenManager.
Improved documentation of characters that must be encoded.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,9 @@
 # UNRELEASED
 - [FIXED] Expose BasePlugin.
+- [FIXED] Prevent double encoding of credentials passed in URL user information
+  when using the `cookieauth` plugin.
+- [IMPROVED] Documented the characters that are required to be encoded in URL
+  user information.
 - [IMPROVED] Documented the legacy compatibility behaviour that always adds the
   `cookieauth` plugin when using the initialization callback functionality.
 
diff --git a/README.md b/README.md
@@ -156,6 +156,13 @@ var Cloudant = require('@cloudant/cloudant');
 var cloudant = Cloudant("http://MYUSERNAME:MYPASSWORD@localhost:5984");
 ~~~
 
+**Note**: If you pass credentials in the user information subcomponent of the URL
+then they must be [percent encoded](https://tools.ietf.org/html/rfc3986#section-3.2.1).
+Specifically the characters `: / ? # [ ] @ %` _MUST_ be precent-encoded, other
+characters _MAY_ be percent encoded.
+Credentials must not be percent encoded when passing them via other configuration
+options besides `url`.
+
 **Note**: If you pass in a `username`, `password`, and `url` that contains
 credentials, the `username` and `password` will supercede the credentials within
 the `url`.  For example, `myusername` and `mypassword` will be used in the code
diff --git a/lib/tokens/CookieTokenManager.js b/lib/tokens/CookieTokenManager.js
@@ -29,7 +29,8 @@ class CookieTokenManager extends TokenManager {
     this._client({
       url: this._sessionUrl,
       method: 'POST',
-      form: {
+      json: true,
+      body: {
         name: this._username,
         password: this._password
       },
diff --git a/plugins/cookieauth.js b/plugins/cookieauth.js
@@ -49,8 +49,9 @@ class CookiePlugin extends BasePlugin {
       client,
       this._jar,
       u.format(sessionUrl, {auth: false}),
-      sessionUrl.username,
-      sessionUrl.password
+      // Extract creds from URL and decode
+      decodeURIComponent(sessionUrl.username),
+      decodeURIComponent(sessionUrl.password)
     );
 
     if (cfg.autoRenew) {
diff --git a/test/plugins/cookieauth.js b/test/plugins/cookieauth.js
@@ -21,10 +21,10 @@ const nock = require('../nock.js');
 const uuidv4 = require('uuid/v4'); // random
 
 const ME = process.env.cloudant_username || 'nodejs';
-const PASSWORD = process.env.cloudant_password || 'sjedon';
+const PASSWORD = process.env.cloudant_password || 'sjedon!@#"£$%^&*()';
 const SERVER = process.env.SERVER_URL || `https://${ME}.cloudant.com`;
 const SERVER_NO_PROTOCOL = SERVER.replace(/^https?:\/\//, '');
-const SERVER_WITH_CREDS = `https://${ME}:${PASSWORD}@${SERVER_NO_PROTOCOL}`;
+const SERVER_WITH_CREDS = `https://${ME}:${encodeURIComponent(PASSWORD)}@${SERVER_NO_PROTOCOL}`;
 const DBNAME = `/nodejs-cloudant-${uuidv4()}`;
 const COOKIEAUTH_PLUGIN = [ { cookieauth: { autoRenew: false } } ];
 
