commit c778af04f43871530c1cac29b281950f1a87dff7
parent 8ed984d70a327d1cdf3c529b419cd5f8b4650b38
Author: Hernâni Marques <hernani@vecirex.net>
Date: Sat, 18 Jul 2026 01:53:14 +0200
fix/taler-merchant-webui (11340): mitigate HTTP 401 by lowercasing instance username at createAccessToken and session, so password change, access tokens, and reset also avoid case-sensitive Basic auth
Diffstat:
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/packages/taler-merchant-webui/src/context/session.ts b/packages/taler-merchant-webui/src/context/session.ts
@@ -87,7 +87,10 @@ export const codecForSessionState = (): Codec<SavedSession> =>
function inferInstanceName(url: URL) {
const match = INSTANCE_ID_LOOKUP.exec(url.href);
- return !match || !match[1] ? DEFAULT_ADMIN_USERNAME : match[1];
+ // #11340: Basic-auth username is case-sensitive; keep session instance lowercase.
+ return !match || !match[1]
+ ? DEFAULT_ADMIN_USERNAME
+ : match[1].toLowerCase();
}
export const defaultState = (url: URL): SavedSession => {
@@ -240,11 +243,14 @@ export const SessionContextProvider = ({
cleanAllCache();
},
logIn(username, token) {
+ // #11340: normalize so session.instance and Basic-auth callers stay lowercase.
+ // Covers password change, access-token create, resetAccount, etc.
+ const id = username.toLowerCase();
cleanAllCache();
setStatus("loggedIn");
let backendUrl: URL;
- if (currentInstance !== username) {
- backendUrl = new URL(rootLib.subInstanceApi(username).instance.baseUrl);
+ if (currentInstance !== id) {
+ backendUrl = new URL(rootLib.subInstanceApi(id).instance.baseUrl);
} else {
backendUrl = state.backendUrl;
}
@@ -255,8 +261,10 @@ export const SessionContextProvider = ({
});
},
getInstanceForUsername(username: string) {
- return username !== currentInstance
- ? rootLib.subInstanceApi(username).instance
+ // #11340: path/Basic identity lowercase (login, resetAccount, …).
+ const id = username.toLowerCase();
+ return id !== currentInstance
+ ? rootLib.subInstanceApi(id).instance
: lib.instance;
},
};
diff --git a/packages/taler-util/src/http-client/merchant.ts b/packages/taler-util/src/http-client/merchant.ts
@@ -292,9 +292,11 @@ export class TalerMerchantInstanceHttpClient {
} = {},
) {
const url = new URL(`private/token`, this.baseUrl);
+ // #11340: Basic-auth username is case-sensitive; lowercase avoids 401.
+ // Covers login, password change, access-token create, admin-create token, etc.
const headers = authHeaders({
type: "basic",
- username: instance,
+ username: instance.toLowerCase(),
password,
});
if (params.challengeIds && params.challengeIds.length > 0) {