taler-typescript-core

Wallet core logic and WebUIs for various components
Log | Files | Refs | Submodules | README | LICENSE

commit c778af04f43871530c1cac29b281950f1a87dff7
parent 8ed984d70a327d1cdf3c529b419cd5f8b4650b38
Author: Hernâni Marques <hernani@vecirex.net>
Date:   Sat, 18 Jul 2026 01:53:14 +0200

fix/taler-merchant-webui (11340): mitigate HTTP 401 by lowercasing instance username at createAccessToken and session, so password change, access tokens, and reset also avoid case-sensitive Basic auth

Diffstat:
Mpackages/taler-merchant-webui/src/context/session.ts | 18+++++++++++++-----
Mpackages/taler-util/src/http-client/merchant.ts | 4+++-
2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/packages/taler-merchant-webui/src/context/session.ts b/packages/taler-merchant-webui/src/context/session.ts @@ -87,7 +87,10 @@ export const codecForSessionState = (): Codec<SavedSession> => function inferInstanceName(url: URL) { const match = INSTANCE_ID_LOOKUP.exec(url.href); - return !match || !match[1] ? DEFAULT_ADMIN_USERNAME : match[1]; + // #11340: Basic-auth username is case-sensitive; keep session instance lowercase. + return !match || !match[1] + ? DEFAULT_ADMIN_USERNAME + : match[1].toLowerCase(); } export const defaultState = (url: URL): SavedSession => { @@ -240,11 +243,14 @@ export const SessionContextProvider = ({ cleanAllCache(); }, logIn(username, token) { + // #11340: normalize so session.instance and Basic-auth callers stay lowercase. + // Covers password change, access-token create, resetAccount, etc. + const id = username.toLowerCase(); cleanAllCache(); setStatus("loggedIn"); let backendUrl: URL; - if (currentInstance !== username) { - backendUrl = new URL(rootLib.subInstanceApi(username).instance.baseUrl); + if (currentInstance !== id) { + backendUrl = new URL(rootLib.subInstanceApi(id).instance.baseUrl); } else { backendUrl = state.backendUrl; } @@ -255,8 +261,10 @@ export const SessionContextProvider = ({ }); }, getInstanceForUsername(username: string) { - return username !== currentInstance - ? rootLib.subInstanceApi(username).instance + // #11340: path/Basic identity lowercase (login, resetAccount, …). + const id = username.toLowerCase(); + return id !== currentInstance + ? rootLib.subInstanceApi(id).instance : lib.instance; }, }; diff --git a/packages/taler-util/src/http-client/merchant.ts b/packages/taler-util/src/http-client/merchant.ts @@ -292,9 +292,11 @@ export class TalerMerchantInstanceHttpClient { } = {}, ) { const url = new URL(`private/token`, this.baseUrl); + // #11340: Basic-auth username is case-sensitive; lowercase avoids 401. + // Covers login, password change, access-token create, admin-create token, etc. const headers = authHeaders({ type: "basic", - username: instance, + username: instance.toLowerCase(), password, }); if (params.challengeIds && params.challengeIds.length > 0) {