Errors when URL includes basic auth

Author: simonbs

src/app/api/remotes/[encodedRemoteConfig]/route.ts

@@ -55,6 +55,8 @@ export async function GET(_req: NextRequest, { params }: { params: RemoteSpecifi
       return makeAPIErrorResponse(408, "The operation timed out.")
     } else if (error.name === ErrorName.NOT_JSON_OR_YAML) {
       return makeAPIErrorResponse(400, "Url does not point to a JSON or YAML file.")
+    } else if (error.name === ErrorName.URL_MAY_NOT_INCLUDE_BASIC_AITH) {
+      return makeAPIErrorResponse(400, "Url may not include basic auth.")
     } else {
       return makeAPIErrorResponse(500, error.message)
     }

src/common/utils/fileUtils.ts

@@ -4,6 +4,7 @@ export const ErrorName = {
     MAX_FILE_SIZE_EXCEEDED: "MaxFileSizeExceededError",
     TIMEOUT: "TimeoutError",
     NOT_JSON_OR_YAML: "NotJsonOrYamlError",
+    URL_MAY_NOT_INCLUDE_BASIC_AITH: "UrlMayNotIncludeBasicAuth"
 }
 
 export async function downloadFile(params: {
@@ -21,14 +22,13 @@ export async function downloadFile(params: {
         headers["Authorization"] = "Basic " + btoa(`${basicAuthUsername}:${basicAuthPassword}`);
     }
     // Make sure basic auth is removed from URL.
-    const urlWithoutAuth = url;
-    urlWithoutAuth.username = "";
-    urlWithoutAuth.password = "";
-    const response = await fetch(urlWithoutAuth, {
-        method: "GET",
-        headers,
-        signal: AbortSignal.any([abortController.signal, timeoutSignal])
-    });
+    if ((url.username && url.username.length > 0) || (url.password && url.password.length > 0)) {
+        const error = new Error("URL may not include basic auth");
+        error.name = ErrorName.URL_MAY_NOT_INCLUDE_BASIC_AITH;
+        throw error;
+    }
+    let fetchSignal = AbortSignal.any([abortController.signal, timeoutSignal])
+    const response = await fetch(url, { method: "GET", headers, signal: fetchSignal })
     if (!response.body) {
         throw new Error("Response body unavailable");
     }