From 9d14e5677c73df98aee4ee2f265fcbcec53277bf Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Sun, 4 Jan 2026 16:45:26 +0100 Subject: [PATCH 1/2] fix(auth): validation of H1 tokens --- lib/auth.js | 6 +++--- test/fixtures/run-auth-h1.js | 13 +++++++++++++ test/unit/auth.test.js | 9 +++++++++ 3 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 test/fixtures/run-auth-h1.js diff --git a/lib/auth.js b/lib/auth.js index a55f667a..79275843 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -12,7 +12,7 @@ function errorExit(message) { process.exit(1); } -function check(username, token) { +function check(username, token, format = /^[A-Za-z0-9_]+$/) { if (typeof username !== 'string') { errorExit(`username must be a string, received ${typeof username}`); } @@ -25,7 +25,7 @@ function check(username, token) { if (typeof token !== 'string') { errorExit(`token must be a string, received ${typeof token}`); } - if (!/^[A-Za-z0-9_]+$/.test(token)) { + if (!format.test(token)) { errorExit(`token is misformatted: ${token}`); } } @@ -107,7 +107,7 @@ async function auth( get h1() { const { h1_username, h1_token } = getMergedConfig(); - check(h1_username, h1_token); + check(h1_username, h1_token, /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/); const h1 = encode(h1_username, h1_token); setOwnProperty(result, 'h1', h1); return h1; diff --git a/test/fixtures/run-auth-h1.js b/test/fixtures/run-auth-h1.js new file mode 100644 index 00000000..e153043c --- /dev/null +++ b/test/fixtures/run-auth-h1.js @@ -0,0 +1,13 @@ +(async function() { + const { default: auth } = await import('../../lib/auth.js'); + const authParams = await auth({ github: false }); + if (typeof authParams === 'object' && authParams != null) { + for (const key of Object.getOwnPropertyNames(authParams)) { + if (key !== 'h1') delete authParams[key]; + } + } + process.stdout.write(`${JSON.stringify(authParams)}\n`); +})().catch(err => { + console.error(err); + process.exit(1); +}); diff --git a/test/unit/auth.test.js b/test/unit/auth.test.js index e753cb87..7bdc638a 100644 --- a/test/unit/auth.test.js +++ b/test/unit/auth.test.js @@ -99,6 +99,15 @@ describe('auth', async function() { ); }); + it('accepts a valid H1 token format', async function() { + await runAuthScript( + { HOME: { h1_username: 'nyancat', h1_token: 'wWIDaa7wz7uGIryWLuqbJRhqUkLI6qlemK1KaMChhpC=' } }, + ['{"h1":"bnlhbmNhdDp3V0lEYWE3d3o3dUdJcnlXTHVxYkpSaHFVa0xJNnFsZW1LMUthTUNoaHBDPQ=="}'], + '', + 'run-auth-h1' + ); + }); + it('permits capital letters in token format', async function() { await runAuthScript( { HOME: { username: 'nyancat', token: '0123456789ABCDEF' } }, From 01d10908bb66dfa1f9f1b287912fd89c9f2d4154 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Mon, 5 Jan 2026 09:57:15 +0100 Subject: [PATCH 2/2] fixup! fix(auth): validation of H1 tokens lint --- test/unit/auth.test.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/unit/auth.test.js b/test/unit/auth.test.js index 7bdc638a..db5119ef 100644 --- a/test/unit/auth.test.js +++ b/test/unit/auth.test.js @@ -101,7 +101,9 @@ describe('auth', async function() { it('accepts a valid H1 token format', async function() { await runAuthScript( - { HOME: { h1_username: 'nyancat', h1_token: 'wWIDaa7wz7uGIryWLuqbJRhqUkLI6qlemK1KaMChhpC=' } }, + { + HOME: { h1_username: 'nyancat', h1_token: 'wWIDaa7wz7uGIryWLuqbJRhqUkLI6qlemK1KaMChhpC=' } + }, ['{"h1":"bnlhbmNhdDp3V0lEYWE3d3o3dUdJcnlXTHVxYkpSaHFVa0xJNnFsZW1LMUthTUNoaHBDPQ=="}'], '', 'run-auth-h1'