HTTP Basic Authentication: Decode Base64 to UTF-8

[manubahr]

Fitnesse basic authentication fails on non-ASCII characters (for example german umlauts) in user-id and passwords

fitnesse.util.Base64#decode(java.lang.String) incorrectly uses the charset UTF-8 (defined in FileUtil.CHARENCODING) to convert the input to Base64-decode(). This input's charset however is irrelevant because Base64 is US-ASCII which is compatible to any charset.
The output of Base64-decode() has to be converted to UTF-8 as most browsers encode basic auth in UTF-8 now.

For nearly all users this change will be without any effect as their user-ids / passwords are in US-ASCII which is fully compatible to UTF-8. Only users with Latin1 (ISO-8859-1) chars in user-id / passwords that managed to have their browser NOT to encode basic auth as UTF-8 (Safari? IE?) and their fitnesse installation's java default file encoding fitting their browser's encoding, will experience a change and authentication might fail. Remedy is to use a current web browser which encodes basic auth as UTF-8.

See:

• https://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication
• https://en.wikipedia.org/wiki/Basic_access_authentication
• https://bugzilla.mozilla.org/show_bug.cgi?id=41489 (Firefox bug open from 2000 to 2021 !!)

Perhaps fitnesse should send the new "charset" auth-param from RFC-7617 to user agents to explicitly tell them that the "Authorization" header value is expected to be UTF-8 encoded (see https://datatracker.ietf.org/doc/html/rfc7617#section-2.1).