fix: encode Basic Auth per RFC 7617 in proxied_client.go (#758)

boinger · web-flow · commit caf40956db1a · 2026-04-20T07:47:21.000+01:00
diff --git a/proxied_client.go b/proxied_client.go
@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"log/slog"
+	"net/url"
 	"sync"
 
 	mcp_client "github.com/mark3labs/mcp-go/client"
@@ -22,6 +23,17 @@ type ProxiedClient struct {
 	mutex          sync.RWMutex
 }
 
+// basicAuthHeader encodes credentials per RFC 7617:
+// base64(username ":" password) with raw bytes, matching
+// (*http.Request).SetBasicAuth in the standard library. url.Userinfo.String()
+// percent-escapes reserved characters per RFC 3986, which is wrong here —
+// passwords containing ':', '@', '/', '%', or space would be double-encoded
+// on the wire and rejected by spec-compliant Basic Auth parsers.
+func basicAuthHeader(u *url.Userinfo) string {
+	password, _ := u.Password()
+	return "Basic " + base64.StdEncoding.EncodeToString([]byte(u.Username()+":"+password))
+}
+
 // NewProxiedClient creates a new connection to a remote MCP server
 func NewProxiedClient(ctx context.Context, datasourceUID, datasourceName, datasourceType, mcpEndpoint string) (*ProxiedClient, error) {
 	// Get Grafana config for authentication
@@ -32,8 +44,7 @@ func NewProxiedClient(ctx context.Context, datasourceUID, datasourceName, dataso
 	if config.APIKey != "" {
 		headers["Authorization"] = "Bearer " + config.APIKey
 	} else if config.BasicAuth != nil {
-		auth := config.BasicAuth.String()
-		headers["Authorization"] = "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
+		headers["Authorization"] = basicAuthHeader(config.BasicAuth)
 	}
 
 	// Add org ID header if configured
diff --git a/proxied_client_test.go b/proxied_client_test.go
@@ -0,0 +1,71 @@
+package mcpgrafana
+
+import (
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestBasicAuthHeaderEncoding verifies that basicAuthHeader produces the
+// same bytes as (*http.Request).SetBasicAuth — base64(username ":" password)
+// with raw bytes per RFC 7617. Regression test for the bug where
+// url.Userinfo.String() was used, which percent-escapes reserved characters
+// per RFC 3986 and breaks Basic Auth for passwords containing ':', '@',
+// '/', '%', or space.
+func TestBasicAuthHeaderEncoding(t *testing.T) {
+	cases := []struct {
+		name, username, password, want string
+	}{
+		{
+			name:     "plain ASCII",
+			username: "admin",
+			password: "password",
+			want:     "Basic YWRtaW46cGFzc3dvcmQ=",
+		},
+		{
+			name:     "colon in password",
+			username: "admin",
+			password: "p:w0rd",
+			want:     "Basic YWRtaW46cDp3MHJk",
+		},
+		{
+			name:     "at sign in password",
+			username: "admin",
+			password: "p@ssw0rd",
+			want:     "Basic YWRtaW46cEBzc3cwcmQ=",
+		},
+		{
+			name:     "percent in password",
+			username: "admin",
+			password: "p%w0rd",
+			want:     "Basic YWRtaW46cCV3MHJk",
+		},
+		{
+			name:     "space in password",
+			username: "admin",
+			password: "pw 0rd",
+			want:     "Basic YWRtaW46cHcgMHJk",
+		},
+		{
+			name:     "slash in password",
+			username: "admin",
+			password: "p/w0rd",
+			want:     "Basic YWRtaW46cC93MHJk",
+		},
+		{
+			name:     "empty password",
+			username: "admin",
+			password: "",
+			want:     "Basic YWRtaW46",
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			u := url.UserPassword(tc.username, tc.password)
+			got := basicAuthHeader(u)
+			assert.Equal(t, tc.want, got,
+				"basicAuthHeader must produce raw base64(user:password) per RFC 7617, not percent-encoded userinfo")
+		})
+	}
+}
