fix: basic authoriation string length off-by-one

Author: QuickSander

examples/HelloHttp/HelloHttp.ino examples/HelloHttp/HelloHttp.cppexamples/HelloHttp/HelloHttp.ino renamed to examples/HelloHttp/HelloHttp.cpp

@@ -1,14 +1,17 @@
 #include <ArduinoHttpServer.h>
 
+#include <Arduino.h>
+
+
 #ifdef ESP8266 // This example is compatible with both, ATMega and ESP8266
    #include <ESP8266WiFi.h>
 #else
    #include <SPI.h> //! \todo Temporary see fix: https://github.com/platformio/platformio/issues/48
    #include <WiFi.h>
 #endif
 
-const char* ssid = "";
-const char* password = "";
+const char* ssid = "***REMOVED***";
+const char* password = "***REMOVED***";
 
 WiFiServer wifiServer(80);
 
@@ -44,22 +47,31 @@ void loop()
 
          // Retrieve 2nd part of HTTP resource.
          // E.g.: "on" from "/api/sensors/on"
-         Serial.println( httpRequest.getResource()[2] );
+         Serial.println(httpRequest.getResource()[2]);
 
          // Retrieve HTTP method.
          // E.g.: GET / PUT / HEAD / DELETE / POST
          ArduinoHttpServer::Method method( ArduinoHttpServer::Method::Invalid );
          method = httpRequest.getMethod();
 
-         if( method == ArduinoHttpServer::Method::Get )
+         // Optionally athenticate incoming request
+         if(!httpRequest.authenticate("user", "secret"))
          {
-            Serial.println("Nothing to get here.");
+            ArduinoHttpServer::StreamHttpAuthenticateReply httpReply(client, httpRequest.getContentType());
+            httpReply.send();
          }
-         else if( method == ArduinoHttpServer::Method::Put )
+         else
          {
-            digitalWrite(13, HIGH);
+            if( method == ArduinoHttpServer::Method::Get )
+            {
+               Serial.println("Nothing to get here.");
+            }
+            else if( method == ArduinoHttpServer::Method::Put )
+            {
+               Serial.println("Writing HIGH to digital pin 13.");
+               digitalWrite(13, HIGH);
+            }
          }
-
       }
       else
       {

platformio.ini

@@ -12,17 +12,27 @@
 src_dir = examples/HelloHttp
 lib_dir = ../
 
-[env:esp01]
+[env:huzzah]
 platform = espressif8266
 framework = arduino
-board = esp01
-extra_scripts = ../../Tools/platformio_esptool.py
-lib_deps = agdl/Base64@^1.0.0
-
-[env:uno]
-platform = atmelavr
-framework = arduino
-board = uno
+board = huzzah
+upload_port = /dev/cu.SLAB_USBtoUART
+monitor_port = /dev/cu.SLAB_USBtoUART
+monitor_speed = 115200
 lib_deps = 
-	WiFi
 	agdl/Base64@^1.0.0
+
+; [env:esp01]
+; platform = espressif8266
+; framework = arduino
+; board = esp01
+; extra_scripts = ../../Tools/platformio_esptool.py
+; lib_deps = agdl/Base64@^1.0.0
+
+; [env:uno]
+; platform = atmelavr
+; framework = arduino
+; board = uno
+; lib_deps = 
+; 	WiFi
+; 	agdl/Base64@^1.0.0

src/internals/HttpField.cpp

@@ -82,21 +82,21 @@ const ArduinoHttpServer::HttpField::Type ArduinoHttpServer::HttpField::getType()
 
 //! \brief Retrieve part of a value indicated by a zero based index.
 //! \details Retrieve "username:password" from "Basic username:password": call with subValueIndex 1.
-const ArduinoHttpServer::HttpField::SubValueString ArduinoHttpServer::HttpField::getSubValueString(size_t subValueIndex) const
+const ArduinoHttpServer::HttpField::SubValueStringT ArduinoHttpServer::HttpField::getSubValueString(size_t subValueIndex) const
 {
-   SubValueString subValue;
+   SubValueStringT subValue;
    auto startIndex(0);
    auto endIndex(0);
 
-   for(auto currentSubValueIndex=0U; currentSubValueIndex < subValueIndex; currentSubValueIndex++)
+   for(auto currentSubValueIndex=0U; currentSubValueIndex <= subValueIndex; currentSubValueIndex++)
    {
       endIndex = m_value.indexOf(SUB_VALUE_SEPERATOR, startIndex);
 
       // If separator has been found.
       if(endIndex >=0)
       {
-         subValue = m_value.substring(startIndex + strlen(SUB_VALUE_SEPERATOR), endIndex);
-         startIndex = endIndex;
+         subValue = m_value.substring(startIndex + strlen(SUB_VALUE_SEPERATOR) - 1, endIndex);
+         startIndex = endIndex+1; // One past the found string.
       }
       else
       {

src/internals/HttpField.hpp

@@ -23,7 +23,7 @@ class HttpField
 
 public:
 
-   using SubValueString = FixString<128>;
+   using SubValueStringT = FixString<128>;
 
    enum class Type: char
    {
@@ -34,6 +34,8 @@ class HttpField
       AUTHORIZATION
    };
 
+   constexpr static const char* BASIC_AUTH_TYPE_STR = "Basic";
+
    HttpField(const char* fieldLine);
    HttpField();
    virtual ~HttpField();
@@ -45,13 +47,13 @@ class HttpField
    const Type getType() const;
 
    inline const String& getValueAsString() const {return m_value; };
-   const SubValueString getSubValueString(size_t subValueIndex) const;
+   const SubValueStringT getSubValueString(size_t subValueIndex) const;
    inline const int getValueAsInt() const {return m_value.toInt(); };
 
 private:
    void determineType(const String& typeStr);
 
-   static const char *SEPERATOR;
+   static const char* SEPERATOR;
    static const char* SUB_VALUE_SEPERATOR;
    static const char* CONTENT_TYPE_STR;
    static const char* CONTENT_LENGTH_TYPE_STR;

src/internals/StreamHttpRequest.hpp

@@ -65,7 +65,7 @@ class StreamHttpRequest
     const ErrorString getError() const;
     Stream& getStream() { return m_stream; };
 
-    // Check if authenticated request
+    // Validate if client provided credentials match _username_ and _password_.
     bool authenticate(const char * username, const char * password) const;
 
 private:
@@ -85,8 +85,6 @@ class StreamHttpRequest
    static const long LINE_READ_TIMEOUT_MS = 10000L; //!< [ms] Wait 10s for reception of a complete line.
    static const int MAX_RETRIES_WAIT_DATA_AVAILABLE = 255;
 
-   constexpr static const char* BASIC_AUTH_TYPE_STR = "Basic";
-
    void parseRequest(char lineBuffer[MAX_LINE_SIZE]);
    void parseMethod(char lineBuffer[MAX_LINE_SIZE]);
    void parseResource();
@@ -391,20 +389,25 @@ bool ArduinoHttpServer::StreamHttpRequest<MAX_BODY_SIZE>::authenticate(const cha
 
    // HTTP value: "<Type> <Base 64 encoded credentials>"
    // Retrieve type and verify wether it is basic authorization.
-   if(!(m_authorizationField.getSubValueString(0) == BASIC_AUTH_TYPE_STR))
+   if(!(m_authorizationField.getSubValueString(0) == HttpField::BASIC_AUTH_TYPE_STR))
    {
-      DEBUG_ARDUINO_HTTP_SERVER_PRINT("Unsupported authentication header: ");
-      DEBUG_ARDUINO_HTTP_SERVER_PRINTLN(m_authorizationField);
+      DEBUG_ARDUINO_HTTP_SERVER_PRINT("Unsupported authentication type: ");
+      DEBUG_ARDUINO_HTTP_SERVER_PRINTLN(m_authorizationField.getSubValueString(0).cStr());
       return false;
    }
 
-   FixString<128U> combinedInput;
-   combinedInput += username; combinedInput += AHS_F(":"); combinedInput += password;
+   FixString<128U> combinedInput(username);
+   combinedInput += AHS_F(":");
+   combinedInput += password;
 
    const int encodedLength = Base64.encodedLength(combinedInput.length());
-   char encodedString[encodedLength] = {0};
-   Base64.encode(encodedString, combinedInput.cStr(), combinedInput.length());
+
+   char encodedString[encodedLength+1]; // Base64 makes sure _encodedString_ is zero terminated.
+   Base64.encode(encodedString, const_cast<char*>(combinedInput.cStr()), combinedInput.length());
 
+   DEBUG_ARDUINO_HTTP_SERVER_PRINT("Credentials string in client supplied auth: ");
+   DEBUG_ARDUINO_HTTP_SERVER_PRINTLN(m_authorizationField.getSubValueString(1).cStr() );
+
    if ( m_authorizationField.getSubValueString(1) == encodedString )
    {
       return true;