commit e26b777cd02f39b4bd2ad13590cb0e1d48b5068e
parent 5fba86ff7cc5bb7ec52f5a9375d8e0c2a0a80af1
Author: Florian Dold <florian@dold.me>
Date: Sat, 18 Jul 2026 00:10:47 +0200
lower-case instance name in auth header
Diffstat:
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/backend/taler-merchant-httpd_auth.c b/src/backend/taler-merchant-httpd_auth.c
@@ -221,7 +221,7 @@ check_auth_instance (const char *userpass,
{
char *tmp;
char *colon;
- const char *instance_name;
+ char *instance_name;
const char *password;
const char *target_instance = "admin";
enum GNUNET_GenericReturnValue ret;
@@ -251,8 +251,13 @@ check_auth_instance (const char *userpass,
return GNUNET_SYSERR;
}
*colon = '\0';
- instance_name = tmp;
password = colon + 1;
+ /* Instance IDs are stored in canonical (lower-case) form (see
+ GNUNET_STRINGS_utf8_tolower() in the instance creation and lookup
+ paths), so we must fold the username to the same canonical form
+ before comparing; otherwise a mixed-case username would not match
+ the stored id ("myshop") and Basic auth would fail with HTTP 401. */
+ instance_name = GNUNET_STRINGS_utf8_tolower (tmp);
/* instance->settings.id can be NULL if there is no instance yet */
if (NULL != instance->settings.id)
target_instance = instance->settings.id;
@@ -263,9 +268,11 @@ check_auth_instance (const char *userpass,
"Somebody tried to login to instance %s with username %s (login failed).\n",
target_instance,
instance_name);
+ GNUNET_free (instance_name);
GNUNET_free (tmp);
return GNUNET_SYSERR;
}
+ GNUNET_free (instance_name);
ret = TMH_check_auth (password,
&instance->auth.auth_salt,
&instance->auth.auth_hash);