From 5c1f8850d9983d941187269741aee535841412c3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=B4me=20Benoit?= Date: Wed, 22 Apr 2026 21:57:45 +0200 Subject: [PATCH] fix: enforce RFC 7617 colon-free username across all Basic Auth paths - Skip supervision WebSocket auth with warning when supervisionUser contains ':' (convergence point for templates and all API paths) - Reject ':' in authentication.username via Zod regex in UI config schema (covers ui/web and ui/cli config files) --- src/charging-station/ChargingStation.ts | 8 +++++++- ui/common/src/config/schema.ts | 5 ++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/charging-station/ChargingStation.ts b/src/charging-station/ChargingStation.ts index 2cb492c3..a17df487 100644 --- a/src/charging-station/ChargingStation.ts +++ b/src/charging-station/ChargingStation.ts @@ -863,7 +863,13 @@ export class ChargingStation extends EventEmitter { return } if (this.stationInfo?.supervisionUser != null && this.stationInfo.supervisionPassword != null) { - options.auth = `${this.stationInfo.supervisionUser}:${this.stationInfo.supervisionPassword}` + if (this.stationInfo.supervisionUser.includes(':')) { + logger.warn( + `${this.logPrefix()} Supervision user contains ':' which is invalid in HTTP Basic Auth (RFC 7617) — skipping auth` + ) + } else { + options.auth = `${this.stationInfo.supervisionUser}:${this.stationInfo.supervisionPassword}` + } } if (params.closeOpened) { this.closeWSConnection() diff --git a/ui/common/src/config/schema.ts b/ui/common/src/config/schema.ts index 8ec00202..5c5ca017 100644 --- a/ui/common/src/config/schema.ts +++ b/ui/common/src/config/schema.ts @@ -7,7 +7,10 @@ export const authenticationConfigSchema = z enabled: z.boolean(), password: z.string().optional(), type: z.enum(AuthenticationType), - username: z.string().optional(), + username: z + .string() + .regex(/^[^:]*$/, 'must not contain ":"') + .optional(), }) .refine( data => -- 2.43.0