1

I would like to decrypt the Username and Password which was encrypted using basic authentication.

In my client application I'm having a list of files. if the user wants to download, they will click the anchor link which points to a PHP file with param id (i.e., fileId) and token.

I having a client side anchor tag like

<a href="http://localhost:8080/management/download.php?id=1&token=YmFsYTphYWFhYWFhYWFh">
    download
</a>

The token was created using the following javascript code

const token = window.btoa(username + ':' + password)

File: download.php

$fileId = $_GET['id'];
$token = $_GET['token'];

$filePath = getFileById($fileId);

if (file_exists($filePath)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($filePath).'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filePath));
    readfile($filePath);
    exit;
}

I tried to get the Username and Password from the default $_SERVER['PHP_AUTH_USER'] but I failed to get the information.

Kindly assist me how to decrypt the Username and Password from the token.

B.Balamanigandan
  • 4,713
  • 11
  • 68
  • 130

1 Answers1

3

Use base64_decode() in PHP to get the username and password separated by :.

<?php

$decoded = base64_decode($_GET['token']);
list($username,$password) = explode(":",$decoded);
echo $username," ",$password;

Demo: https://3v4l.org/KKIlR

Also, this doesn't seem to be secure enough to send a password(not sure what password depicts here) as is in the GET parameter. It's better to instead send a header like Authorization: Basic YmFsYTphYWFhYWFhYWFh where it's actually some client ID and client secret base-64 encoded.

nice_dev
  • 17,053
  • 2
  • 21
  • 35