(#215) Strip user info after Auth header was added

jcabi · Aug 23, 2020 · e77d8e1 · e77d8e1 · 0pdd · Aug 28, 2020
1 parent a1be216
commit e77d8e1
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 11 deletions.
diff --git a/src/main/java/com/jcabi/http/wire/BasicAuthWire.java b/src/main/java/com/jcabi/http/wire/BasicAuthWire.java
@@ -39,6 +39,7 @@
 import java.io.InputStream;
 import java.net.URI;
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.Collection;
 import java.util.LinkedList;
 import java.util.Map;
@@ -65,25 +66,16 @@
  *
  * @since 0.10
  * @see <a href="http://tools.ietf.org/html/rfc2617">RFC 2617 "HTTP Authentication: Basic and Digest Access Authentication"</a>
- * @todo #97:30m Strip user info from URI after Auth header is added.
- *  Consider adding warnings about the wire applied for Request with header, and
- *  without user info.
  */
 @Immutable
 @ToString(of = "origin")
 @EqualsAndHashCode(of = "origin")
 public final class BasicAuthWire implements Wire {
 
-    /**
-     * The encoding to use.
-     */
-    private static final String ENCODING = "UTF-8";
-
     /**
      * The Charset to use.
      */
-    private static final Charset CHARSET =
-        Charset.forName(BasicAuthWire.ENCODING);
+    private static final Charset CHARSET = StandardCharsets.UTF_8;
 
     /**
      * Original wire.
@@ -111,6 +103,11 @@ public Response send(final Request req, final String home,
         boolean absent = true;
         for (final Map.Entry<String, String> header : headers) {
             if (header.getKey().equals(HttpHeaders.AUTHORIZATION)) {
+                Logger.warn(
+                    this,
+                    "Request already contains %s header",
+                    HttpHeaders.AUTHORIZATION
+                );
                 absent = false;
             }
             hdrs.add(header);
@@ -135,7 +132,13 @@ public Response send(final Request req, final String home,
             );
         }
         return this.origin.send(
-            req, home, method, hdrs, content, connect, read
+            req.uri().userInfo(null).back(),
+            home,
+            method,
+            hdrs,
+            content,
+            connect,
+            read
         );
     }
 }
diff --git a/src/test/java/com/jcabi/http/wire/BasicAuthWireTest.java b/src/test/java/com/jcabi/http/wire/BasicAuthWireTest.java
@@ -32,17 +32,22 @@
 import com.jcabi.http.mock.MkAnswer;
 import com.jcabi.http.mock.MkContainer;
 import com.jcabi.http.mock.MkGrizzlyContainer;
+import com.jcabi.http.mock.MkQueryMatchers;
 import com.jcabi.http.request.JdkRequest;
 import com.jcabi.http.response.RestResponse;
 import java.net.HttpURLConnection;
 import java.net.URI;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
+import javax.net.ssl.HttpsURLConnection;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.UriBuilder;
 import javax.xml.bind.DatatypeConverter;
 import org.hamcrest.MatcherAssert;
 import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.function.Executable;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
 
@@ -100,6 +105,48 @@ void testHeader(
         );
     }
 
+    /**
+     * Tests if the wire strips user info from URI, after the header was added.
+     *
+     * @throws Exception If something goes wrong
+     */
+    @Test
+    void shouldStripUserInfo() throws Exception {
+        final MkContainer container = new MkGrizzlyContainer().next(
+            new MkAnswer.Simple(HttpsURLConnection.HTTP_NOT_FOUND),
+            MkQueryMatchers.hasHeader(
+                "Authorization", Matchers.contains(
+                    BasicAuthWireTest.expectHeader("foo", "bar")
+                )
+            )
+        ).start();
+        final String userinfo = "foo:bar";
+        final URI uri = UriBuilder.fromUri(container.home()).userInfo(
+            userinfo
+        ).build();
+        MatcherAssert.assertThat(
+            Assertions.assertThrows(
+                AssertionError.class,
+                new Executable() {
+                    @Override
+                    public void execute() throws Throwable {
+                        new JdkRequest(uri)
+                            .through(BasicAuthWire.class)
+                            .fetch()
+                            .as(RestResponse.class)
+                            .assertStatus(HttpURLConnection.HTTP_OK);
+                    }
+                }
+            ),
+            Matchers.<AssertionError>hasToString(
+                Matchers.not(
+                    Matchers.containsString(userinfo)
+                )
+            )
+        );
+        container.stop();
+    }
+
     /**
      * Creates the expected authorization header value for the
      * given username.