[Fix] Fully support Authorization headers using the Basic authenticat…

nvm.sh

@@ -158,7 +158,7 @@ nvm_download() {
 
 nvm_sanitize_auth_header() {
     # Remove potentially dangerous characters
-    nvm_echo "$1" | command sed 's/[^a-zA-Z0-9:;_. -]//g'
+    nvm_echo "$1" | command sed 's/[^a-zA-Z0-9:;_./+=~ -]//g'
 }
 
 nvm_has_system_node() {

test/fast/Unit tests/ferron-iojs-mirror.kdl

@@ -0,0 +1,9 @@
+// This is for starting a simple proxy that requires basic auth. The only valid credentials will be 'test:123?45>6'. The
+// docker command to run is the following (assuming the current working directory is the directory with this .kdl file.)
+// $ docker run --rm --publish 8081:8081 --volume "$(pwd):/mnt/cwd" ferronserver/ferron:2 ferron --config /mnt/cwd/ferron-iojs-mirror.kdl
+:8081 {
+  status 401 regex=".*" users="test"
+  user "test" "$argon2id$v=19$m=19456,t=2,p=1$emTillHaS3OqFuvITdXxzg$G00heP8QSXk5H/ruTiLt302Xk3uETfU5QO8hBIwUq08"
+  proxy "https://iojs.org/"
+  proxy_request_header_remove "Authorization"
+}

test/fast/Unit tests/ferron-nodejs-mirror.kdl

@@ -0,0 +1,9 @@
+// This is for starting a simple proxy that requires basic auth. The only valid credentials will be 'test:123?45>6'. The
+// docker command to run is the following (assuming the current working directory is the directory with this .kdl file.)
+// $ docker run --rm --publish 8080:8080 --volume "$(pwd):/mnt/cwd" ferronserver/ferron:2 ferron --config /mnt/cwd/ferron-nodejs-mirror.kdl
+:8080 {
+  status 401 regex=".*" users="test"
+  user "test" "$argon2id$v=19$m=19456,t=2,p=1$emTillHaS3OqFuvITdXxzg$G00heP8QSXk5H/ruTiLt302Xk3uETfU5QO8hBIwUq08"
+  proxy "https://nodejs.org/"
+  proxy_request_header_remove "Authorization"
+}

test/fast/Unit tests/nvm_download

@@ -19,7 +19,12 @@ nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/de
 # nvm_download should pass when calling with auth header
 docker pull kennethreitz/httpbin && SHELL=bash docker run -d --name httpbin -p 80:80 kennethreitz/httpbin
 sleep 1 # wait for httpbin to start
-NVM_AUTH_HEADER="Bearer test-token" nvm_download "http://127.0.0.1/bearer" > /dev/null || die 'nvm_download with auth header should send correctly'
+# NOTE: The test token here is derived from the RFC at https://datatracker.ietf.org/doc/html/rfc6750#section-2.1 and includes additional
+# valid bearer token characters.
+expected='{"authenticated":true,"token":"mF_9.B5f-4.1JqM~+/="}'
+actual="$(NVM_AUTH_HEADER="Bearer mF_9.B5f-4.1JqM~+/=" nvm_download "http://127.0.0.1/bearer" | tr -d "[:space:]")"
+[ "$?" = "0" ] || die 'nvm_download with auth header should send correctly'
+[ "${expected}" = "${actual}" ] || die 'nvm_download with auth header should send correct bearer token'
 
 # nvm_download should fail when calling without auth header
 nvm_download "http://127.0.0.1/bearer" > /dev/null && die 'nvm_download with no auth header should not send the header and should fail'

test/fast/Unit tests/nvm_download_with_basic_auth

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+cleanup () {
+  unset -f die cleanup
+  docker stop httpbin && docker rm httpbin
+}
+die () { echo "$@" ; cleanup ; exit 1; }
+
+\. ../../../nvm.sh
+
+set -ex
+
+# nvm_download install.sh
+nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null || die "nvm_download unable to download install.sh"
+
+# nvm_download should pass when calling with basic auth header with correct username and password
+docker pull kennethreitz/httpbin && SHELL=bash docker run -d --name httpbin -p 80:80 kennethreitz/httpbin
+sleep 1 # wait for httpbin to start
+proxy="http://127.0.0.1/basic-auth/test/123%3F45%3E6"
+# These credentials were generated by running `printf 'test:123?45>6' | base64`. These credentials were chosen because their
+# base64 encoded value contain the necessary special characters '+', '/', and '='.
+base64_encoded_credentials="dGVzdDoxMjM/NDU+Ng=="
+NVM_AUTH_HEADER="Basic ${base64_encoded_credentials}" nvm_download "${proxy}" > /dev/null || die 'nvm_download should pass when calling with basic auth header with correct username and password'
+
+# nvm_download should fail when calling with basic auth header with incorrect password
+NVM_AUTH_HEADER="Basic $(printf 'test:123?45>67' | base64)" nvm_download "${proxy}" > /dev/null && die 'nvm_download should fail when calling with basic auth header with incorrect password'
+
+cleanup

test/fast/Unit tests/nvm_ls_remote_with_proxy_requiring_basic_auth

@@ -0,0 +1,45 @@
+#!/bin/sh
+# shellcheck shell=dash
+# shellcheck disable=SC2039 # local is non-POSIX
+
+cleanup () {
+  unset -f die cleanup NVM_NODEJS_ORG_MIRROR
+  docker stop ferron-nodejs-mirror && docker rm ferron-nodejs-mirror
+  docker stop ferron-iojs-mirror && docker rm ferron-iojs-mirror
+}
+die () { echo "$@" ; cleanup ; exit 1; }
+
+set -e
+
+{ [ -e "ferron-nodejs-mirror.kdl" ] && [ -e "ferron-iojs-mirror.kdl" ]; } || die nvm_ls_remote_with_proxy_requiring_basic_auth Need to set working directory of script to Unit tests directory.
+
+# shellcheck source=/dev/null # The nvm.sh script is checked separately.
+\. ../../../nvm.sh
+
+docker run --detach --name ferron-nodejs-mirror --publish 8080:8080 --volume "$(pwd):/mnt/cwd" ferronserver/ferron:2 ferron --config /mnt/cwd/ferron-nodejs-mirror.kdl
+docker run --detach --name ferron-iojs-mirror --publish 8081:8081 --volume "$(pwd):/mnt/cwd" ferronserver/ferron:2 ferron --config /mnt/cwd/ferron-iojs-mirror.kdl
+sleep 1 # wait for ferron containers to start
+
+export NVM_NODEJS_ORG_MIRROR="http://localhost:8080/dist"
+export NVM_IOJS_ORG_MIRROR="http://localhost:8081/dist"
+# These credentials were generated by running `printf 'test:123?45>6' | base64`. These credentials were chosen because their
+# base64 encoded value contain the necessary special characters '+', '/', and '='.
+base64_encoded_credentials="dGVzdDoxMjM/NDU+Ng=="
+export NVM_AUTH_HEADER="Basic ${base64_encoded_credentials}"
+
+OUTPUT="$(nvm_ls_remote)"
+echo "nvm_ls_remote output: ${OUTPUT}"
+[ -n "${OUTPUT}" ] || die nvm_ls_remote_with_proxy_requiring_basic_auth Failed to run nvm_ls_remote through nodejs mirror requiring basic auth.
+
+OUTPUT="$(nvm_ls_remote_iojs)"
+echo "nvm_ls_remote_iojs output: ${OUTPUT}"
+[ -n "${OUTPUT}" ] || die nvm_ls_remote_with_proxy_requiring_basic_auth Failed to run nvm_ls_remote_iojs through iojs mirror requiring basic auth.
+
+# Remove auth header and try using mirrors. This time it should fail due to missing creds.
+unset NVM_AUTH_HEADER
+
+nvm_ls_remote && die nvm_ls_remote_with_proxy_requiring_basic_auth Unexpected success of run of nvm_ls_remote through nodejs mirror without required credentials.
+
+nvm_ls_remote_iojs && die nvm_ls_remote_with_proxy_requiring_basic_auth Unexpected success of run of nvm_ls_remote_iojs through iojs mirror without required credentials.
+
+cleanup