Fix user-sent basic auth not being passed to api backend.

This addresses the accidental breakage of clients sending their own http basic auth since the last commit. We now also have integration tests to cover this scenario. See 18F/api.data.gov#282
NREL · Sep 10, 2015 · c42c274 · c42c274
1 parent fc9700b
commit c42c274
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/templates/etc/varnish.vcl.hbs b/templates/etc/varnish.vcl.hbs
@@ -118,8 +118,10 @@ sub vcl_backend_fetch {
 
   # Restore the original Authorization header we temporarily moved in vcl_recv
   # to allow for caching of some requests with Authorization headers.
-  set bereq.http.Authorization = bereq.http.X-Api-Umbrella-Orig-Authorization;
-  unset bereq.http.X-Api-Umbrella-Orig-Authorization;
+  if(bereq.http.X-Api-Umbrella-Orig-Authorization) {
+    set bereq.http.Authorization = bereq.http.X-Api-Umbrella-Orig-Authorization;
+    unset bereq.http.X-Api-Umbrella-Orig-Authorization;
+  }
 }
 
 sub vcl_backend_response {

diff --git a/test/integration/proxying.js b/test/integration/proxying.js
@@ -1227,4 +1227,33 @@ describe('proxying', function() {
       ], done);
     });
   });
+
+  describe('http basic auth', function() {
+    it('passes the original http basic auth headers to the api backend', function(done) {
+      request.get('http://foo:bar@localhost:9080/info/', this.options, function(error, response, body) {
+        var data = JSON.parse(body);
+        data.basic_auth_username.should.eql('foo');
+        data.basic_auth_password.should.eql('bar');
+        done();
+      });
+    });
+
+    it('passes http basic auth added at the proxy layer to the api backend', function(done) {
+      request.get('http://localhost:9080/add-auth-header/info/', this.options, function(error, response, body) {
+        var data = JSON.parse(body);
+        data.basic_auth_username.should.eql('somebody');
+        data.basic_auth_password.should.eql('secret');
+        done();
+      });
+    });
+
+    it('replaces http basic auth headers passed by the client when the api backend forces its own http basic auth', function(done) {
+      request.get('http://foo:bar@localhost:9080/add-auth-header/info/', this.options, function(error, response, body) {
+        var data = JSON.parse(body);
+        data.basic_auth_username.should.eql('somebody');
+        data.basic_auth_password.should.eql('secret');
+        done();
+      });
+    });
+  });
 });