Merge pull request #412 from cloudant/json-session-request

ricellis · web-flow · commit f912c5277bcd · 2019-12-04T13:53:14.000Z
Used application/json for session POST
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,9 @@
 # UNRELEASED
 - [FIXED] Expose BasePlugin.
+- [FIXED] Prevent double encoding of credentials passed in URL user information
+  when using the `cookieauth` plugin.
+- [IMPROVED] Documented the characters that are required to be encoded in URL
+  user information.
 - [IMPROVED] Documented the legacy compatibility behaviour that always adds the
   `cookieauth` plugin when using the initialization callback functionality.
 
diff --git a/README.md b/README.md
@@ -156,7 +156,20 @@ var Cloudant = require('@cloudant/cloudant');
 var cloudant = Cloudant("http://MYUSERNAME:MYPASSWORD@localhost:5984");
 ~~~
 
-**Note**: If you pass in a `username`, `password`, and `url` that contains
+**Note**: It is preferred to pass credentials using the `account`/`username` and
+`password` configuration options rather than as part of the URL. However, if you
+choose to pass credentials in the user information subcomponent of the URL then
+they must be [percent encoded](https://tools.ietf.org/html/rfc3986#section-3.2.1).
+Specifically within either the username or passowrd the characters `: / ? # [ ] @ %`
+_MUST_ be precent-encoded, other characters _MAY_ be percent encoded.
+For example for the username `user123` and password `colon:at@321`:
+```
+https://user123:colon%3aat%40321@localhost:5984
+```
+Credentials must not be percent encoded when passing them via other configuration
+options besides `url`.
+
+If you pass in `username` and `password` options and a `url` that contains
 credentials, the `username` and `password` will supercede the credentials within
 the `url`.  For example, `myusername` and `mypassword` will be used in the code
 below during authentication:
diff --git a/lib/tokens/CookieTokenManager.js b/lib/tokens/CookieTokenManager.js
@@ -29,7 +29,8 @@ class CookieTokenManager extends TokenManager {
     this._client({
       url: this._sessionUrl,
       method: 'POST',
-      form: {
+      json: true,
+      body: {
         name: this._username,
         password: this._password
       },
diff --git a/plugins/cookieauth.js b/plugins/cookieauth.js
@@ -49,8 +49,9 @@ class CookiePlugin extends BasePlugin {
       client,
       this._jar,
       u.format(sessionUrl, {auth: false}),
-      sessionUrl.username,
-      sessionUrl.password
+      // Extract creds from URL and decode
+      decodeURIComponent(sessionUrl.username),
+      decodeURIComponent(sessionUrl.password)
     );
 
     if (cfg.autoRenew) {
diff --git a/test/plugins/cookieauth.js b/test/plugins/cookieauth.js
@@ -21,10 +21,10 @@ const nock = require('../nock.js');
 const uuidv4 = require('uuid/v4'); // random
 
 const ME = process.env.cloudant_username || 'nodejs';
-const PASSWORD = process.env.cloudant_password || 'sjedon';
+const PASSWORD = process.env.cloudant_password || 'sjedon!@#"£$%^&*()';
 const SERVER = process.env.SERVER_URL || `https://${ME}.cloudant.com`;
 const SERVER_NO_PROTOCOL = SERVER.replace(/^https?:\/\//, '');
-const SERVER_WITH_CREDS = `https://${ME}:${PASSWORD}@${SERVER_NO_PROTOCOL}`;
+const SERVER_WITH_CREDS = `https://${ME}:${encodeURIComponent(PASSWORD)}@${SERVER_NO_PROTOCOL}`;
 const DBNAME = `/nodejs-cloudant-${uuidv4()}`;
 const COOKIEAUTH_PLUGIN = [ { cookieauth: { autoRenew: false } } ];
 
