fix: improve regex pattern to avoid backtracking

Author: TomokiMiyauci

_abnf.ts

@@ -1,4 +1,5 @@
 import {
+  atomic,
   either,
   maybe,
   namedCapture,
@@ -8,23 +9,23 @@ import {
 import { optimize } from "https://esm.sh/regexp-tree";
 
 const tchar = /[!#$%&'*+.^_`|~\dA-Za-z-]/;
-const token = suffix("+", tchar);
+const token = atomic(suffix("+", tchar));
 const authScheme = namedCapture("authScheme", token);
 const SP = / /;
 const ALPHA = /[A-Za-z]/;
 const DIGIT = /\d/;
 const token68 = sequence(
-  suffix("+", either(ALPHA, DIGIT, /[-._~+/]/)),
-  suffix("*", "="),
+  atomic(suffix("+", either(ALPHA, DIGIT, /[-._~+/]/))),
+  atomic(suffix("*", "=")),
 );
 
 const challenge = sequence(
   authScheme,
   maybe(
-    suffix("+", SP),
+    atomic(suffix("+", SP)),
     either(
       namedCapture("token68", token68),
-      namedCapture("authParam", /.*/),
+      namedCapture("authParam", atomic(/.*/)),
     ),
   ),
 );
@@ -33,7 +34,9 @@ const OWS = /[ \t]*/;
 const BWS = OWS;
 
 const element = sequence(
-  maybe(/.*?/, suffix("*", OWS, ",", OWS, maybe(/.*?/))),
+  atomic(
+    maybe(atomic(/.*?/), atomic(suffix("*", OWS, ",", OWS, maybe(/.*?/)))),
+  ),
 );
 
 const DQUOTE = /"/;
@@ -45,7 +48,7 @@ const quotedPair = sequence("\\", either(HTAB, SP, VCHAR, obsText));
 
 const quotedString = sequence(
   DQUOTE,
-  suffix("*", either(qdtext, quotedPair)),
+  atomic(suffix("*", either(qdtext, quotedPair))),
   DQUOTE,
 );
 

parse.ts

@@ -8,7 +8,7 @@ import type { Authorization, AuthParams } from "./types.ts";
 
 /** Generate from _abnf.ts. */
 const reAuthorization =
-  /^(?<authScheme>[\w!#$%&'*+.^`|~-]+)(?: +(?:(?<token68>(?:[A-Za-z]|\d|[+./_~-])+=*)|(?<authParam>.*)))?$/;
+  /^(?<authScheme>(?=([\w!#$%&'*+.^`|~-]+))\2)(?:(?=( +))\3(?:(?<token68>(?=((?:[A-Za-z]|\d|[+./_~-])+))\5(?=(=*))\6)|(?<authParam>(?=(.*))\8)))?$/;
 
 /** Parse string into {@link Authorization}.
  *
@@ -60,7 +60,7 @@ type ParsedGroups = {
 
 /** Generate from _abnf.ts. */
 const reAuthParam =
-  /^(?<key>[\w!#$%&'*+.^`|~-]+)[\t ]*=[\t ]*(?:(?<token>[\w!#$%&'*+.^`|~-]+)|(?<quotedString>"(?:\t| |!|[ \x23-\x5B\x5D-\x7E]|[\x80-\xFF]|\\(?:\t| |[\x21-\x7E]|[\x80-\xFF]))*"))$/;
+  /^(?<key>(?=([\w!#$%&'*+.^`|~-]+))\2)[\t ]*=[\t ]*(?:(?<token>(?=([\w!#$%&'*+.^`|~-]+))\4)|(?<quotedString>"(?=((?:\t| |!|[ \x23-\x5B\x5D-\x7E]|[\x80-\xFF]|\\(?:\t| |[\x21-\x7E]|[\x80-\xFF]))*))\6"))$/;
 
 type AuthParamGroups =
   & { key: string }

stringify.ts

@@ -47,7 +47,7 @@ export function stringifyAuthorization(input: AuthorizationLike): string {
   return [input.authScheme, data].filter(Boolean).join(" ");
 }
 
-const reToken = /^[\w!#$%&'*+.^`|~-]+$/;
+const reToken = /^(?=([\w!#$%&'*+.^`|~-]+))\1$/;
 
 export function assertToken(
   input: string,
@@ -61,7 +61,7 @@ export function isToken(input: string): boolean {
   return reToken.test(input);
 }
 
-const reToken68 = /^[A-Za-z\d+./_~-]+=*$/;
+const reToken68 = /^(?=((?:[A-Za-z]|\d|[+./_~-])+))\1(?=(=*))\2$/;
 
 export function isToken68(input: string): boolean {
   return reToken68.test(input);
@@ -76,7 +76,7 @@ export function assertToken68(
 }
 
 const reQuotedString =
-  /^"(?:\t| |!|[ \x23-\x5B\x5D-\x7E]|[\x80-\xFF]|\\(?:\t| |[\x21-\x7E]|[\x80-\xFF]))*"$/;
+  /^"(?=((?:\t| |!|[ \x23-\x5B\x5D-\x7E]|[\x80-\xFF]|\\(?:\t| |[\x21-\x7E]|[\x80-\xFF]))*))\1"$/;
 
 export function isQuotedString(input: string): boolean {
   return reQuotedString.test(input);