Handle passwords in-transit Base64 encoded to allow arbitrary characters / escape sequences (fixes #2892)

app.php

@@ -117,7 +117,9 @@ else
 
 $authMiddlewareClass = GROCY_AUTH_CLASS;
 $app->add(new $authMiddlewareClass($container, $app->getResponseFactory()));
+
 // Add default middleware
+$app->addBodyParsingMiddleware();
 $app->addRoutingMiddleware();
 $errorMiddleware = $app->addErrorMiddleware(true, false, false);
 $errorMiddleware->setDefaultErrorHandler(

changelog/82_UNRELEASED_xxxx-xx-xx.md

@@ -52,7 +52,7 @@
 
 ### General
 
-- xxx
+- Fixed that it wasn't possible to log in using passwords containing special escape sequences (e.g. `<<`)
 
 ### API
 

controllers/LoginController.php

@@ -22,7 +22,15 @@ class LoginController extends BaseController
 	public function ProcessLogin(Request $request, Response $response, array $args)
 	{
 		$authMiddlewareClass = GROCY_AUTH_CLASS;
-		if ($authMiddlewareClass::ProcessLogin($request->getParsedBody()))
+
+		$postParams = $request->getParsedBody();
+		if (isset($postParams['password_base64']))
+		{
+			$postParams['password'] = base64_decode($postParams['password_base64']);
+		}
+		unset($postParams['password_base64']);
+
+		if ($authMiddlewareClass::ProcessLogin($postParams))
 		{
 			return $response->withRedirect($this->AppContainer->get('UrlManager')->ConstructUrl('/'));
 		}

controllers/UsersApiController.php

@@ -43,6 +43,12 @@ class UsersApiController extends BaseApiController
 				throw new \Exception('Request body could not be parsed (probably invalid JSON format or missing/wrong Content-Type header)');
 			}
 
+			if (isset($requestBody['password_base64']))
+			{
+				$requestBody['password'] = base64_decode($requestBody['password_base64']);
+			}
+			unset($requestBody['password_base64']);
+
 			$this->getUsersService()->CreateUser($requestBody['username'], $requestBody['first_name'], $requestBody['last_name'], $requestBody['password'], $requestBody['picture_file_name']);
 			return $this->EmptyApiResponse($response);
 		}
@@ -81,6 +87,12 @@ class UsersApiController extends BaseApiController
 
 		try
 		{
+			if (isset($requestBody['password_base64']))
+			{
+				$requestBody['password'] = base64_decode($requestBody['password_base64']);
+			}
+			unset($requestBody['password_base64']);
+
 			$this->getUsersService()->EditUser($args['userId'], $requestBody['username'], $requestBody['first_name'], $requestBody['last_name'], $requestBody['password'], $requestBody['picture_file_name']);
 			return $this->EmptyApiResponse($response);
 		}

public/viewjs/login.js

@@ -8,3 +8,11 @@ if (GetUriParam('invalid') === 'true')
 	$('#login-error').text(__t('Invalid credentials, please try again'));
 	$('#login-error').removeClass('d-none');
 }
+
+$("#login-button").on("click", function (e)
+{
+	e.preventDefault();
+
+	$("#password_base64").val(btoa($("#password_input").val()));
+	$("#login-form").trigger("submit");
+});

public/viewjs/userform.js

@@ -46,6 +46,11 @@ $('#save-user-button').on('click', function(e)
 		jsonData.picture_file_name = RandomString() + CleanFileName($("#user-picture")[0].files[0].name);
 	}
 
+	jsonData.password_base64 = btoa(jsonData.password);
+	delete jsonData.password;
+	delete jsonData.password_confirm;
+	delete jsonData.change_password;
+
 	if (Grocy.EditMode === 'create')
 	{
 		Grocy.Api.Post('users', jsonData,

views/login.blade.php

@@ -23,13 +23,16 @@
 					name="username">
 			</div>
 
+
+			<input type="hidden"
+				id="password_base64"
+				name="password_base64">
 			<div class="form-group">
-				<label for="password">{{ $__t('Password') }}</label>
+				<label for="password_input">{{ $__t('Password') }}</label>
 				<input type="password"
 					class="form-control"
 					required
-					id="password"
-					name="password">
+					id="password_input">
 				<div id="login-error"
 					class="form-text text-danger d-none"></div>
 			</div>