🧹 chore: Remove support for PasswordFromContext from BasicAuth middleware (#3638)

gaby · web-flow · commit ceacde5ca4dc · 2025-08-01T12:48:42.000+02:00
diff --git a/docs/middleware/basicauth.md b/docs/middleware/basicauth.md
@@ -6,14 +6,13 @@ id: basicauth
 
 Basic Authentication middleware for [Fiber](https://github.com/gofiber/fiber) that provides an HTTP basic authentication. It calls the next handler for valid credentials and [401 Unauthorized](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401) or a custom response for missing or invalid credentials.
 
-The default unauthorized response includes the header `WWW-Authenticate: Basic realm="Restricted", charset="UTF-8"` and sets `Cache-Control: no-store`.
+The default unauthorized response includes the header `WWW-Authenticate: Basic realm="Restricted", charset="UTF-8"`, sets `Cache-Control: no-store`, and adds a `Vary: Authorization` header.
 
 ## Signatures
 
 ```go
 func New(config Config) fiber.Handler
 func UsernameFromContext(c fiber.Ctx) string
-func PasswordFromContext(c fiber.Ctx) string
 ```
 
 ## Examples
@@ -72,15 +71,6 @@ hashing algorithm from a prefix:
 If no prefix is present the value is interpreted as a SHA-256 digest encoded in
 hex or base64. Plaintext passwords are rejected.
 
-```go
-func handler(c fiber.Ctx) error {
-    username := basicauth.UsernameFromContext(c)
-    password := basicauth.PasswordFromContext(c)
-    log.Printf("Username: %s Password: %s", username, password)
-    return c.SendString("Hello, " + username)
-}
-```
-
 ## Config
 
 | Property        | Type                        | Description                                                                                                                                                           | Default               |
@@ -90,7 +80,6 @@ func handler(c fiber.Ctx) error {
 | Realm           | `string`                    | Realm is a string to define the realm attribute of BasicAuth. The realm identifies the system to authenticate against and can be used by clients to save credentials. | `"Restricted"`        |
 | Charset         | `string`                    | Charset sent in the `WWW-Authenticate` header, so clients know how credentials are encoded. | `"UTF-8"` |
 | HeaderLimit     | `int`                       | Maximum allowed length of the `Authorization` header. Requests exceeding this limit are rejected. | `8192` |
-| StorePassword   | `bool`                      | Store the plaintext password in the context and retrieve it via `PasswordFromContext`. | `false` |
 | Authorizer      | `func(string, string, fiber.Ctx) bool` | Authorizer defines a function to check the credentials. It will be called with a username, password, and the current context and is expected to return true or false to indicate approval.  | `nil`                 |
 | Unauthorized    | `fiber.Handler`             | Unauthorized defines the response body for unauthorized responses.                                                                                                    | `nil`                 |
 
@@ -103,7 +92,6 @@ var ConfigDefault = Config{
     Realm:           "Restricted",
     Charset:         "UTF-8",
     HeaderLimit:     8192,
-    StorePassword:   false,
     Authorizer:      nil,
     Unauthorized:    nil,
 }
diff --git a/docs/whats_new.md b/docs/whats_new.md
@@ -1019,7 +1019,6 @@ Examples include:
 - `csrf.HandlerFromContext(c)`
 - `session.FromContext(c)`
 - `basicauth.UsernameFromContext(c)`
-- `basicauth.PasswordFromContext(c)`
 - `keyauth.TokenFromContext(c)`
 
 When used with the Logger middleware, the recommended approach is to use the `CustomTags` feature of the logger, which allows you to call these specific `FromContext` functions. See the [Logger](#logger) section for more details.
@@ -1054,7 +1053,7 @@ The adaptor middleware has been significantly optimized for performance and effi
 
 ### BasicAuth
 
-The BasicAuth middleware now validates the `Authorization` header more rigorously and sets security-focused response headers. Passwords must be provided in **hashed** form (e.g. SHA-256 or bcrypt) rather than plaintext. The default challenge includes the `charset="UTF-8"` parameter and disables caching. Passwords are no longer stored in the request context by default; use the new `StorePassword` option to retain them. A `Charset` option controls the value used in the challenge header.
+The BasicAuth middleware now validates the `Authorization` header more rigorously and sets security-focused response headers. Passwords must be provided in **hashed** form (e.g. SHA-256 or bcrypt) rather than plaintext. The default challenge includes the `charset="UTF-8"` parameter and disables caching. Responses also set a `Vary: Authorization` header to prevent caching based on credentials. Passwords are no longer stored in the request context. A `Charset` option controls the value used in the challenge header.
 A new `HeaderLimit` option restricts the maximum length of the `Authorization` header (default: `8192` bytes).
 The `Authorizer` function now receives the current `fiber.Ctx` as a third argument, allowing credential checks to incorporate request context.
 
@@ -1916,7 +1915,6 @@ You must update your code to use the dedicated exported functions provided by ea
 - `csrf.HandlerFromContext(c)`
 - `session.FromContext(c)`
 - `basicauth.UsernameFromContext(c)`
-- `basicauth.PasswordFromContext(c)`
 - `keyauth.TokenFromContext(c)`
 
 **For logging these values:**
@@ -1947,9 +1945,9 @@ Authorizer: func(user, pass string, _ fiber.Ctx) bool {
 }
 ```
 
-Passwords configured for BasicAuth must now be pre-hashed. If no prefix is supplied the middleware expects a SHA-256 digest encoded in hex. Common prefixes like `{SHA256}` and `{SHA512}` and bcrypt strings are also supported. Plaintext passwords are no longer accepted.
+Passwords configured for BasicAuth must now be pre-hashed. If no prefix is supplied the middleware expects a SHA-256 digest encoded in hex. Common prefixes like `{SHA256}` and `{SHA512}` and bcrypt strings are also supported. Plaintext passwords are no longer accepted. Unauthorized responses also include a `Vary: Authorization` header for correct caching behavior.
 
-You can also set the optional `HeaderLimit`, `StorePassword`, and `Charset`
+You can also set the optional `HeaderLimit` and `Charset`
 options to further control authentication behavior.
 
 #### Cache
diff --git a/middleware/basicauth/basicauth.go b/middleware/basicauth/basicauth.go
@@ -12,10 +12,9 @@ import (
 // other packages.
 type contextKey int
 
-// The keys for the values in context
+// The key for the username value stored in the context
 const (
 	usernameKey contextKey = iota
-	passwordKey
 )
 
 const basicScheme = "Basic"
@@ -70,9 +69,6 @@ func New(config Config) fiber.Handler {
 
 		if cfg.Authorizer(username, password, c) {
 			c.Locals(usernameKey, username)
-			if cfg.StorePassword {
-				c.Locals(passwordKey, password)
-			}
 			return c.Next()
 		}
 
@@ -90,13 +86,3 @@ func UsernameFromContext(c fiber.Ctx) string {
 	}
 	return username
 }
-
-// PasswordFromContext returns the password found in the context
-// returns an empty string if the password does not exist
-func PasswordFromContext(c fiber.Ctx) string {
-	password, ok := c.Locals(passwordKey).(string)
-	if !ok {
-		return ""
-	}
-	return password
-}
diff --git a/middleware/basicauth/basicauth_test.go b/middleware/basicauth/basicauth_test.go
@@ -54,14 +54,11 @@ func Test_Middleware_BasicAuth(t *testing.T) {
 			"john":  hashedJohn,
 			"admin": string(hashedAdmin),
 		},
-		StorePassword: true,
 	}))
 
 	app.Get("/testauth", func(c fiber.Ctx) error {
 		username := UsernameFromContext(c)
-		password := PasswordFromContext(c)
-
-		return c.SendString(username + password)
+		return c.SendString(username)
 	})
 
 	tests := []struct {
@@ -105,34 +102,11 @@ func Test_Middleware_BasicAuth(t *testing.T) {
 		require.Equal(t, tt.statusCode, resp.StatusCode)
 
 		if tt.statusCode == 200 {
-			require.Equal(t, fmt.Sprintf("%s%s", tt.username, tt.password), string(body))
+			require.Equal(t, tt.username, string(body))
 		}
 	}
 }
 
-func Test_BasicAuth_NoStorePassword(t *testing.T) {
-	t.Parallel()
-	app := fiber.New()
-
-	hashedJohn := sha256Hash("doe")
-
-	app.Use(New(Config{
-		Users: map[string]string{"john": hashedJohn},
-	}))
-
-	app.Get("/", func(c fiber.Ctx) error {
-		require.Empty(t, PasswordFromContext(c))
-		return c.SendStatus(fiber.StatusOK)
-	})
-
-	creds := base64.StdEncoding.EncodeToString([]byte("john:doe"))
-	req := httptest.NewRequest(fiber.MethodGet, "/", nil)
-	req.Header.Set(fiber.HeaderAuthorization, "Basic "+creds)
-	resp, err := app.Test(req)
-	require.NoError(t, err)
-	require.Equal(t, fiber.StatusOK, resp.StatusCode)
-}
-
 func Test_BasicAuth_AuthorizerCtx(t *testing.T) {
 	t.Parallel()
 	app := fiber.New()
diff --git a/middleware/basicauth/config.go b/middleware/basicauth/config.go
@@ -63,24 +63,17 @@ type Config struct {
 	//
 	// Optional. Default: 8192.
 	HeaderLimit int
-
-	// StorePassword determines if the plaintext password should be stored
-	// in the context for later retrieval via PasswordFromContext.
-	//
-	// Optional. Default: false.
-	StorePassword bool
 }
 
 // ConfigDefault is the default config
 var ConfigDefault = Config{
-	Next:          nil,
-	Users:         map[string]string{},
-	Realm:         "Restricted",
-	Charset:       "UTF-8",
-	HeaderLimit:   8192,
-	StorePassword: false,
-	Authorizer:    nil,
-	Unauthorized:  nil,
+	Next:         nil,
+	Users:        map[string]string{},
+	Realm:        "Restricted",
+	Charset:      "UTF-8",
+	HeaderLimit:  8192,
+	Authorizer:   nil,
+	Unauthorized: nil,
 }
 
 // Helper function to set default values
