Fix username and password encoding in URL

szmarczak · szmarczak · commit d65d0caf627e · 2021-08-04T23:20:59.000+02:00
This is a Node.js bug, but it's better to fix this in Got. In the future we may use a different HTTP client, which doesn't support these properties in URL. Fixes #1169 Fixes #1317
diff --git a/source/core/index.ts b/source/core/index.ts
@@ -1042,7 +1042,7 @@ export default class Request extends Duplex implements RequestEvents<Request> {
 
 	private async _makeRequest(): Promise<void> {
 		const {options} = this;
-		const {headers} = options;
+		const {headers, username, password} = options;
 		const cookieJar = options.cookieJar as PromiseCookieJar | undefined;
 
 		for (const key in headers) {
@@ -1058,6 +1058,11 @@ export default class Request extends Duplex implements RequestEvents<Request> {
 			headers['accept-encoding'] = supportsBrotli ? 'gzip, deflate, br' : 'gzip, deflate';
 		}
 
+		if (username || password) {
+			const credentials = Buffer.from(`${username}:${password}`).toString('base64');
+			headers.authorization = `Basic ${credentials}`;
+		}
+
 		// Set cookies
 		if (cookieJar) {
 			const cookieString: string = await cookieJar.getCookieString(options.url!.toString());
diff --git a/source/core/options.ts b/source/core/options.ts
@@ -1608,44 +1608,43 @@ export default class Options {
 	get username(): string {
 		const url = this._internals.url as URL;
 
-		if (url) {
-			return url.username;
-		}
+		const value = url ? url.username : this._internals.username;
 
-		return this._internals.username;
+		return decodeURIComponent(value);
 	}
 
 	set username(value: string) {
 		assert.string(value);
 
 		const url = this._internals.url as URL;
+		const fixedValue = encodeURIComponent(value);
 
 		if (url) {
-			url.username = value;
+			url.username = fixedValue;
 		} else {
-			this._internals.username = value;
+			this._internals.username = fixedValue;
 		}
 	}
 
 	get password(): string {
 		const url = this._internals.url as URL;
 
-		if (url) {
-			return url.password;
-		}
+		const value = url ? url.password : this._internals.password;
 
-		return this._internals.password;
+		return decodeURIComponent(value);
 	}
 
 	set password(value: string) {
 		assert.string(value);
 
 		const url = this._internals.url as URL;
 
+		const fixedValue = encodeURIComponent(value);
+
 		if (url) {
-			url.password = value;
+			url.password = fixedValue;
 		} else {
-			this._internals.password = value;
+			this._internals.password = fixedValue;
 		}
 	}
 
diff --git a/test/headers.ts b/test/headers.ts
@@ -260,3 +260,19 @@ test('strip port in host header if implicit standard port & protocol (HTTPS)', a
 	const body = await got('https://httpbin.org/headers').json<{headers: Headers}>();
 	t.is(body.headers.Host, 'httpbin.org');
 });
+
+test('correctly encodes authorization header', withServer, async (t, server, got) => {
+	server.get('/', echoHeaders);
+
+	const {authorization} = await got('', {username: 'test@'}).json();
+
+	t.is(authorization, `Basic ${Buffer.from('test@:').toString('base64')}`);
+});
+
+test('url passes if credentials contain special characters', withServer, async (t, server, got) => {
+	server.get('/', echoHeaders);
+
+	const {authorization} = await got('', {password: 't$es%t'}).json();
+
+	t.is(authorization, `Basic ${Buffer.from(':t$es%t').toString('base64')}`);
+});
