From df0e1256e67276f203bb2dc93ba747bb18df8f26 Mon Sep 17 00:00:00 2001
From: HimeHina <1545340072@qq.com>
Date: Sat, 14 Feb 2026 23:44:54 +0800
Subject: [PATCH] Fix: HTTP Basic Auth fails when password contains colons
 (#5153)

* Fix: HTTP Basic Auth fails when password contains colons

The credentials in HTTP Basic Auth are formatted as base64(username:password).
Per RFC 7617, the username must not contain a colon, but the password can.
The previous code used `.split(':')` which splits on all colons, truncating
passwords that contain ':' characters. Fix by splitting only on the first colon.

* Use spread syntax for credential parsing
---
 src/middleware/basicAuth.js | 3 ++-
 src/users.js                | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/middleware/basicAuth.js b/src/middleware/basicAuth.js
index 83f952398..672a4d43e 100644
--- a/src/middleware/basicAuth.js
+++ b/src/middleware/basicAuth.js
@@ -32,9 +32,10 @@ const basicAuthMiddleware = async function (request, response, callback) {
     }
 
     const usePerUserAuth = PER_USER_BASIC_AUTH && ENABLE_ACCOUNTS;
-    const [username, password] = Buffer.from(credentials, 'base64')
+    const [username, ...passwordParts] = Buffer.from(credentials, 'base64')
         .toString('utf8')
         .split(':');
+    const password = passwordParts.join(':');
 
     if (!usePerUserAuth && username === basicAuthUserName && password === basicAuthUserPassword) {
         return callback();
diff --git a/src/users.js b/src/users.js
index 5b5ef55cc..8693c767a 100644
--- a/src/users.js
+++ b/src/users.js
@@ -822,9 +822,10 @@ async function basicUserLogin(request) {
         return false;
     }
 
-    const [username, password] = Buffer.from(credentials, 'base64')
+    const [username, ...passwordParts] = Buffer.from(credentials, 'base64')
         .toString('utf8')
         .split(':');
+    const password = passwordParts.join(':');
 
     const userHandles = await getAllUserHandles();
     for (const userHandle of userHandles) {