Fixes #40

src/idunno.Authentication.Basic/BasicAuthenticationHandler.cs

@@ -12,6 +12,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Net.Http.Headers;
+using System.Globalization;
 
 namespace idunno.Authentication.Basic
 {
@@ -70,15 +71,31 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             try
             {
                 string decodedCredentials = string.Empty;
+                byte[] base64DecodedCredentials;
                 try
                 {
-                    decodedCredentials = Encoding.UTF8.GetString(Convert.FromBase64String(encodedCredentials));
+                    base64DecodedCredentials = Convert.FromBase64String(encodedCredentials);
+                }
+                catch (FormatException)
+                {
+                    const string failedToDecodeCredentials = "Cannot convert credentials from Base64.";
+                    Logger.LogInformation(failedToDecodeCredentials);
+                    return AuthenticateResult.Fail(failedToDecodeCredentials);
+                }
+
+                try
+                {
+                    decodedCredentials = Encoding.UTF8.GetString(base64DecodedCredentials);
                 }
                 catch (Exception ex)
                 {
-                    throw new Exception($"Failed to decode credentials : {encodedCredentials}", ex);
+                    const string failedToDecodeCredentials = "Cannot build credentials from decoded base64 value, exception {0} encountered.";
+                    var logMessage = string.Format(CultureInfo.InvariantCulture, failedToDecodeCredentials, ex.Message);
+                    Logger.LogInformation(logMessage);
+                    return AuthenticateResult.Fail(logMessage);
                 }
 
+
                 var delimiterIndex = decodedCredentials.IndexOf(':');
                 if (delimiterIndex == -1)
                 {

test/idunno.Authentication.Test/BasicAuthenticationTests.cs

@@ -304,6 +304,17 @@ public async Task ValidateAuthenticationFailsIfOnValidateCredentialsFails()
             Assert.Equal(HttpStatusCode.Unauthorized, transaction.Response.StatusCode);
         }
 
+        [Fact]
+        public async Task ValidateAuthenticationFailsWhenAnInvalidUTF8AuthenticationHeaderIsSent()
+        {
+            var server = CreateServer(new BasicAuthenticationOptions
+            {
+            });
+
+            var transaction = await SendAsyncWithRawHeaderValue(server, "https://example.com/challenge", "%%%%%");
+            Assert.Equal(HttpStatusCode.Unauthorized, transaction.Response.StatusCode);
+        }
+
         [Fact]
         public async Task ValidateSupressionOfWWWAuthenticationHeader()
         {
@@ -427,6 +438,28 @@ private static async Task<Transaction> SendAsyncWithHeaderValue(TestServer serve
             return transaction;
         }
 
+        private static async Task<Transaction> SendAsyncWithRawHeaderValue(TestServer server, string uri, string authorizationHeaderValue, string scheme = "Basic")
+        {
+            var request = new HttpRequestMessage(HttpMethod.Get, uri);
+            request.Headers.Add(HeaderNames.Authorization, scheme + " " + authorizationHeaderValue);
+
+            var transaction = new Transaction
+            {
+                Request = request,
+                Response = await server.CreateClient().SendAsync(request),
+            };
+            transaction.ResponseText = await transaction.Response.Content.ReadAsStringAsync();
+
+            if (transaction.Response.Content != null &&
+                transaction.Response.Content.Headers.ContentType != null &&
+                transaction.Response.Content.Headers.ContentType.MediaType == "text/xml")
+            {
+                transaction.ResponseElement = XElement.Parse(transaction.ResponseText);
+            }
+            return transaction;
+        }
+
+
         private class Transaction
         {
             public HttpRequestMessage Request { get; set; }