merchant

Merchant backend to process payments, run by merchants
Log | Files | Refs | Submodules | README | LICENSE

commit e26b777cd02f39b4bd2ad13590cb0e1d48b5068e
parent 5fba86ff7cc5bb7ec52f5a9375d8e0c2a0a80af1
Author: Florian Dold <florian@dold.me>
Date:   Sat, 18 Jul 2026 00:10:47 +0200

lower-case instance name in auth header

Diffstat:
Msrc/backend/taler-merchant-httpd_auth.c | 11+++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/backend/taler-merchant-httpd_auth.c b/src/backend/taler-merchant-httpd_auth.c @@ -221,7 +221,7 @@ check_auth_instance (const char *userpass, { char *tmp; char *colon; - const char *instance_name; + char *instance_name; const char *password; const char *target_instance = "admin"; enum GNUNET_GenericReturnValue ret; @@ -251,8 +251,13 @@ check_auth_instance (const char *userpass, return GNUNET_SYSERR; } *colon = '\0'; - instance_name = tmp; password = colon + 1; + /* Instance IDs are stored in canonical (lower-case) form (see + GNUNET_STRINGS_utf8_tolower() in the instance creation and lookup + paths), so we must fold the username to the same canonical form + before comparing; otherwise a mixed-case username would not match + the stored id ("myshop") and Basic auth would fail with HTTP 401. */ + instance_name = GNUNET_STRINGS_utf8_tolower (tmp); /* instance->settings.id can be NULL if there is no instance yet */ if (NULL != instance->settings.id) target_instance = instance->settings.id; @@ -263,9 +268,11 @@ check_auth_instance (const char *userpass, "Somebody tried to login to instance %s with username %s (login failed).\n", target_instance, instance_name); + GNUNET_free (instance_name); GNUNET_free (tmp); return GNUNET_SYSERR; } + GNUNET_free (instance_name); ret = TMH_check_auth (password, &instance->auth.auth_salt, &instance->auth.auth_hash);