#8 make authenticate method more robust

* use strict parameter of base64_decode instead of maintaining list of valid characters in regexp
* use limit in explode() to allow passwords with colons
* check if base64_decode failed
* check that array index is set

Author: BreiteSeite

src/BasicAccess.php

@@ -53,15 +53,31 @@ public function __construct(
     public function authenticate(ServerRequestInterface $request) : ?UserInterface
     {
         $authHeader = $request->getHeader('Authorization');
-        if (empty($authHeader)) {
+        if (! isset($authHeader[0])) {
             return null;
         }
 
-        if (! preg_match('/Basic (?P<credentials>[a-zA-Z0-9\+\/\=]+)/', $authHeader[0], $match)) {
+        if (! preg_match('/Basic (?P<credentials>.+)/', $authHeader[0], $match)) {
             return null;
         }
 
-        [$username, $password] = explode(':', base64_decode($match['credentials']));
+        $decodedCredentials = base64_decode($match['credentials'], true);
+
+        if (false === $decodedCredentials) {
+            return null;
+        }
+
+        $credentialParts = explode(':', $decodedCredentials, 2);
+
+        if (false === $credentialParts) {
+            return null;
+        }
+
+        if (2 !== count($credentialParts)) {
+            return null;
+        }
+
+        [$username, $password] = $credentialParts;
 
         return $this->repository->authenticate($username, $password);
     }