Compare hash of base64 decoded authorization header

Wonshtrum · Wonshtrum · commit 571cab0683ad · 2025-04-24T16:34:54.000+02:00
Signed-off-by: Eloi DEMOLIS &lt;eloi.demolis@clever-cloud.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/command/src/config.rs b/command/src/config.rs
@@ -853,17 +853,17 @@ impl FileClusterConfig {
                     let http_frontend = frontend.to_http_front(cluster_id)?;
                     frontends.push(http_frontend);
                 }
-                self.authorized_hashes
-                    .iter()
-                    .map(|hash| {
-                        hex::decode(hash)
-                            .map_err(|_| ConfigError::InvalidHash(hash.clone()))
-                            .and_then(|v| {
-                                v.try_into()
-                                    .map_err(|_| ConfigError::InvalidHash(hash.clone()))
-                            })
-                    })
-                    .collect::<Result<Vec<[u8; 32]>, ConfigError>>()?;
+                // self.authorized_hashes
+                //     .iter()
+                //     .map(|hash| {
+                //         hex::decode(hash)
+                //             .map_err(|_| ConfigError::InvalidHash(hash.clone()))
+                //             .and_then(|v| {
+                //                 v.try_into()
+                //                     .map_err(|_| ConfigError::InvalidHash(hash.clone()))
+                //             })
+                //     })
+                //     .collect::<Result<Vec<[u8; 32]>, ConfigError>>()?;
 
                 Ok(ClusterConfig::Http(HttpClusterConfig {
                     cluster_id: cluster_id.to_string(),
diff --git a/lib/Cargo.toml b/lib/Cargo.toml
@@ -29,6 +29,7 @@ include = [
 
 [dependencies]
 anyhow = "^1.0.89"
+base64 = "0.22.1"
 cookie-factory = "^0.3.3"
 hdrhistogram = "^7.5.4"
 hex = "^0.4.3"
diff --git a/lib/src/protocol/kawa_h1/editor.rs b/lib/src/protocol/kawa_h1/editor.rs
@@ -4,6 +4,7 @@ use std::{
     str::{from_utf8, from_utf8_unchecked},
 };
 
+use base64::Engine;
 use rusty_ulid::Ulid;
 use sha2::{Digest, Sha256};
 use sozu_command::logging::CachedTags;
@@ -209,9 +210,20 @@ impl HttpContext {
             }
         }
 
-        self.authorization_found = auth
-            .and_then(|header| header.val.data_opt(buf))
-            .map(|auth| hex::encode(Sha256::digest(auth)));
+        self.authorization_found =
+            auth.and_then(|header| header.val.data_opt(buf))
+                .and_then(|auth| {
+                    let (kind, token) = auth.trim_ascii_start().split_at("Basic ".len());
+                    compare_no_case(kind, b"Basic ").then_some(())?;
+                    let token = base64::prelude::BASE64_STANDARD.decode(token).ok()?;
+                    let (name, pwd) = token
+                        .iter()
+                        .position(|c| *c == b':')
+                        .map(|i| token.split_at(i+1))?;
+                    let mut auth = String::from_utf8(name.to_vec()).ok()?;
+                    auth.push_str(&hex::encode(Sha256::digest(pwd)));
+                    Some(auth)
+                });
 
         // If session_address is set:
         // - append its ip address to the list of "X-Forwarded-For" if it was found, creates it if not
