From c42c27466aa15a4c4fd1e361ad44f47dee7c342c Mon Sep 17 00:00:00 2001
From: Nick Muerdter <nick.muerdter@nrel.gov>
Date: Thu, 10 Sep 2015 07:58:32 -0600
Subject: [PATCH] Fix user-sent basic auth not being passed to api backend.

This addresses the accidental breakage of clients sending their own http
basic auth since the last commit. We now also have integration tests to
cover this scenario.

See https://github.com/18F/api.data.gov/issues/282
---
 templates/etc/varnish.vcl.hbs |  6 ++++--
 test/integration/proxying.js  | 29 +++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/templates/etc/varnish.vcl.hbs b/templates/etc/varnish.vcl.hbs
index 14961db..40d0b27 100644
--- a/templates/etc/varnish.vcl.hbs
+++ b/templates/etc/varnish.vcl.hbs
@@ -118,8 +118,10 @@ sub vcl_backend_fetch {
 
   # Restore the original Authorization header we temporarily moved in vcl_recv
   # to allow for caching of some requests with Authorization headers.
-  set bereq.http.Authorization = bereq.http.X-Api-Umbrella-Orig-Authorization;
-  unset bereq.http.X-Api-Umbrella-Orig-Authorization;
+  if(bereq.http.X-Api-Umbrella-Orig-Authorization) {
+    set bereq.http.Authorization = bereq.http.X-Api-Umbrella-Orig-Authorization;
+    unset bereq.http.X-Api-Umbrella-Orig-Authorization;
+  }
 }
 
 sub vcl_backend_response {
diff --git a/test/integration/proxying.js b/test/integration/proxying.js
index cd4fb59..c5b5510 100644
--- a/test/integration/proxying.js
+++ b/test/integration/proxying.js
@@ -1227,4 +1227,33 @@ describe('proxying', function() {
       ], done);
     });
   });
+
+  describe('http basic auth', function() {
+    it('passes the original http basic auth headers to the api backend', function(done) {
+      request.get('http://foo:bar@localhost:9080/info/', this.options, function(error, response, body) {
+        var data = JSON.parse(body);
+        data.basic_auth_username.should.eql('foo');
+        data.basic_auth_password.should.eql('bar');
+        done();
+      });
+    });
+
+    it('passes http basic auth added at the proxy layer to the api backend', function(done) {
+      request.get('http://localhost:9080/add-auth-header/info/', this.options, function(error, response, body) {
+        var data = JSON.parse(body);
+        data.basic_auth_username.should.eql('somebody');
+        data.basic_auth_password.should.eql('secret');
+        done();
+      });
+    });
+
+    it('replaces http basic auth headers passed by the client when the api backend forces its own http basic auth', function(done) {
+      request.get('http://foo:bar@localhost:9080/add-auth-header/info/', this.options, function(error, response, body) {
+        var data = JSON.parse(body);
+        data.basic_auth_username.should.eql('somebody');
+        data.basic_auth_password.should.eql('secret');
+        done();
+      });
+    });
+  });
 });