http: decodes url.username and url.password for authorization header

This change properly decodes the url.username and url.password for
the authorization header constructed from the URL object for
http(s) requests.

Fixes: #31439

PR-URL: #39310
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Robert Nagy <[email protected]>
Reviewed-By: James M Snell <[email protected]>

Author: Lew Gordon

doc/api/http.md

@@ -2767,6 +2767,10 @@ This can be overridden for servers and client requests by passing the
 <!-- YAML
 added: v0.3.6
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/39310
+    description: When using a `URL` object parsed username and
+                 password will now be properly URI decoded.
   - version: v14.17.0
     pr-url: https://github.com/nodejs/node/pull/36048
     description: It is possible to abort a request with an AbortSignal.

doc/api/https.md

@@ -251,6 +251,10 @@ Global instance of [`https.Agent`][] for all HTTPS client requests.
 <!-- YAML
 added: v0.3.6
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/39310
+    description: When using a `URL` object parsed username
+                 and password will now be properly URI decoded.
   - version: v14.1.0
     pr-url: https://github.com/nodejs/node/pull/32786
     description: The `highWaterMark` option is accepted now.

lib/internal/url.js

@@ -1303,7 +1303,7 @@ function urlToHttpOptions(url) {
     options.port = Number(url.port);
   }
   if (url.username || url.password) {
-    options.auth = `${url.username}:${url.password}`;
+    options.auth = `${decodeURIComponent(url.username)}:${decodeURIComponent(url.password)}`;
   }
   return options;
 }

test/parallel/test-http-decoded-auth.js

@@ -0,0 +1,48 @@
+'use strict';
+require('../common');
+const assert = require('assert');
+const http = require('http');
+
+const testCases = [
+  {
+    username: 'test@test"',
+    password: '123456^',
+    expected: 'dGVzdEB0ZXN0IjoxMjM0NTZe'
+  },
+  {
+    username: 'test%40test',
+    password: '123456',
+    expected: 'dGVzdEB0ZXN0OjEyMzQ1Ng=='
+  },
+  {
+    username: 'not%3Agood',
+    password: 'god',
+    expected: 'bm90Omdvb2Q6Z29k'
+  },
+  {
+    username: 'not%22good',
+    password: 'g%5Eod',
+    expected: 'bm90Imdvb2Q6Z15vZA=='
+  },
+  {
+    username: 'test1234::::',
+    password: 'mypass',
+    expected: 'dGVzdDEyMzQ6Ojo6Om15cGFzcw=='
+  },
+];
+
+for (const testCase of testCases) {
+  const server = http.createServer(function(request, response) {
+    // The correct authorization header is be passed
+    assert.strictEqual(request.headers.authorization, `Basic ${testCase.expected}`);
+    response.writeHead(200, {});
+    response.end('ok');
+    server.close();
+  });
+
+  server.listen(0, function() {
+    // make the request
+    const url = new URL(`http://${testCase.username}:${testCase.password}@localhost:${this.address().port}`);
+    http.request(url).end();
+  });
+}