Skip to content

[Fix] Fully support Authorization headers using the Basic authenticat… #3751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
amejia1 wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

[Fix] Fully support Authorization headers using the Basic authenticat… #3751

amejia1 wants to merge 11 commits into from
+120 −2

Conversation

@amejia1
Copy link

@amejia1 amejia1 commented Jan 2, 2026

…ion scheme.

Usage of the Basic authentication scheme involves setting the NVM_AUTH_HEADER environment variable to the value "Basic <base64 encoded value of string 'username:password'>"

Here's an example shell one-liner to set this environment variable.

export NVM_AUTH_HEADER="Basic $(echo 'username:password' | base64)"

The above literal username and password values would work since the base64 encoded value would be 'dXNlcm5hbWU6cGFzc3dvcmQK'. However, a username and password combination such as 'test:123?12>' would not work since the base64 encoded value would be 'dGVzdDoxMjM/MTI+Cg=='. The nvm_sanitize_auth_header function before this change would have stripped the valid base64 characters '/', '+', and '='.

@amejia1
[Fix] Fully support Authorization headers using the Basic authenticat…
78f2093 
…ion scheme.

Usage of the Basic authentication scheme involves setting the NVM_AUTH_HEADER
environment variable to the value "Basic <base64 encoded value of string 'username:password'>"

Here's an example shell one-liner to set this environment variable.

```sh
export NVM_AUTH_HEADER="Basic $(echo 'username:password' | base64)"
```

The above literal username and password values would work since the base64 encoded
value would be 'dXNlcm5hbWU6cGFzc3dvcmQK'. However, a username and password
combination such as 'test:123?12>' would not work since the base64
encoded value would be 'dGVzdDoxMjM/MTI+Cg=='. The nvm_sanitize_auth_header
function before this change would have stripped the valid base64
characters '/', '+', and '='.
ljharb
ljharb requested changes Jan 2, 2026
View reviewed changes
Copy link
Member

@ljharb ljharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! We'll need regression tests, though

@ljharb ljharb marked this pull request as draft January 2, 2026 15:54
@amejia1 amejia1 marked this pull request as ready for review January 2, 2026 23:46
@amejia1 amejia1 requested a review from ljharb January 2, 2026 23:46
@amejia1
Copy link
Author

amejia1 commented Jan 2, 2026

Alright, I added a test.

Burnsedia

This comment was marked as spam.

Sign in to view

@amejia1
Ensure the 'Proxy-Authorization' HTTP headers are also removed.
29dd3f3 
This is done in case the test servers are used to test forward proxies.
Burnsedia

This comment was marked as spam.

Sign in to view

@ljharb
Copy link
Member

ljharb commented Jan 20, 2026

Thanks! However, using docker images in CI is a bit of a heavy lift; can you find a way to run the tests without using docker?

(also, test files need to chmod a+x to run)

@ljharb ljharb marked this pull request as draft January 20, 2026 20:47
@amejia1
Copy link
Author

amejia1 commented Jan 23, 2026

Thanks! However, using docker images in CI is a bit of a heavy lift; can you find a way to run the tests without using docker?

(also, test files need to chmod a+x to run)

I saw that the kennethreitz/httpbin container image was already being used for one of the existing tests and just used it to derive a second test to verify the changes in this PR. There is the one test using ferronserver/ferron:2 and I could remove it but that image is a distroless image meaning it's basically just the ferron binary plus related ferron programs.

Or maybe I should ask, what makes using docker images in CI a heavy lift? Is it because it needs root access on the host and/or a daemon to run? If that's the case, perhaps podman can be used instead. Podman can be configured for a system account to run rootless containers without a daemon. Most podman commands can replace usage of docker by simply running podman instead of docker.

I'll fix the test files to have the right chmod permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ljharb ljharb Awaiting requested review from ljharb

1 more reviewer

@Burnsedia Burnsedia Burnsedia left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amejia1 @ljharb @Burnsedia