fix(core): allow colons inside passwords (#29576)

Co-authored-by: Kit Langton <kit.langton@gmail.com>
2026-05-31 21:50:53 +00:00 · 2026-05-28 19:17:35 +02:00 · 2026-05-28 19:17:35 +02:00 · 72d008bd5c
commit 72d008bd5c
parent 202ec12056
2 changed files with 18 additions and 4 deletions
--- a/packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts
+++ b/packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts
@ -63,11 +63,11 @@ function decodeCredential(input: string) {
    Effect.match({
      onFailure: emptyCredential,
      onSuccess: (header) => {
-        const parts = header.split(":")
-        if (parts.length !== 2) return emptyCredential()
+        const separator = header.indexOf(":")
+        if (separator === -1) return emptyCredential()
        return {
-          username: parts[0],
-          password: Redacted.make(parts[1]),
+          username: header.slice(0, separator),
+          password: Redacted.make(header.slice(separator + 1)),
        }
      },
    }),
--- a/packages/opencode/test/server/httpapi-ui.test.ts
+++ b/packages/opencode/test/server/httpapi-ui.test.ts
@ -406,6 +406,20 @@ describe("HttpApi UI fallback", () => {
    }),
  )

+  it.live("accepts basic auth passwords containing colons for the web UI", () =>
+    Effect.gen(function* () {
+      const response = yield* uiApp({
+        password: "sec:ret",
+        username: "opencode",
+        disableEmbeddedWebUi: true,
+      }).request("/", {
+        headers: { authorization: `Basic ${btoa("opencode:sec:ret")}` },
+      })
+
+      expect(response.status).toBe(200)
+    }),
+  )
+
  // Regression for #25698 (Ope): the browser fetches the PWA manifest and
  // its icons via flows that don't carry app-managed credentials (the
  // `<link rel="manifest">` request is not under page-auth control), so the