labstack · aldas · Sep 26, 2025 · Sep 16, 2025 · Sep 16, 2025 · Sep 16, 2025
diff --git a/middleware/basic_auth.go b/middleware/basic_auth.go
@@ -66,6 +66,9 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
 		config.Realm = defaultRealm
 	}
 
+	// Pre-compute the quoted realm for WWW-Authenticate header (RFC 7617)
+	quotedRealm := strconv.Quote(config.Realm)
+
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
 			if config.Skipper(c) {
@@ -84,27 +87,21 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
 				}
 
 				cred := string(b)
-				for i := 0; i < len(cred); i++ {
-					if cred[i] == ':' {
-						// Verify credentials
-						valid, err := config.Validator(cred[:i], cred[i+1:], c)
-						if err != nil {
-							return err
-						} else if valid {
-							return next(c)
-						}
-						break
+				user, pass, ok := strings.Cut(cred, ":")
+				if ok {
+					// Verify credentials
+					valid, err := config.Validator(user, pass, c)
+					if err != nil {
+						return err
+					} else if valid {
+						return next(c)
 					}
 				}
 			}
 
-			realm := defaultRealm
-			if config.Realm != defaultRealm {
-				realm = strconv.Quote(config.Realm)
-			}
-
 			// Need to return `401` for browsers to pop-up login box.
-			c.Response().Header().Set(echo.HeaderWWWAuthenticate, basic+" realm="+realm)
+			// Realm is case-insensitive, so we can use "basic" directly. See RFC 7617.
+			c.Response().Header().Set(echo.HeaderWWWAuthenticate, basic+" realm="+quotedRealm)
 			return echo.ErrUnauthorized
 		}
 	}

diff --git a/middleware/basic_auth_test.go b/middleware/basic_auth_test.go
@@ -117,3 +117,64 @@ func TestBasicAuth(t *testing.T) {
 		})
 	}
 }
+
+func TestBasicAuthRealm(t *testing.T) {
+	e := echo.New()
+	mockValidator := func(u, p string, c echo.Context) (bool, error) {
+		return false, nil // Always fail to trigger WWW-Authenticate header
+	}
+
+	tests := []struct {
+		name         string
+		realm        string
+		expectedAuth string
+	}{
+		{
+			name:         "Default realm",
+			realm:        "Restricted",
+			expectedAuth: `basic realm="Restricted"`,
+		},
+		{
+			name:         "Custom realm",
+			realm:        "My API",
+			expectedAuth: `basic realm="My API"`,
+		},
+		{
+			name:         "Realm with special characters",
+			realm:        `Realm with "quotes" and \backslashes`,
+			expectedAuth: `basic realm="Realm with \"quotes\" and \\backslashes"`,
+		},
+		{
+			name:         "Empty realm (falls back to default)",
+			realm:        "",
+			expectedAuth: `basic realm="Restricted"`,
+		},
+		{
+			name:         "Realm with unicode",
+			realm:        "测试领域",
+			expectedAuth: `basic realm="测试领域"`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			res := httptest.NewRecorder()
+			c := e.NewContext(req, res)
+
+			h := BasicAuthWithConfig(BasicAuthConfig{
+				Validator: mockValidator,
+				Realm:     tt.realm,
+			})(func(c echo.Context) error {
+				return c.String(http.StatusOK, "test")
+			})
+
+			err := h(c)
+
+			var he *echo.HTTPError
+			errors.As(err, &he)
+			assert.Equal(t, http.StatusUnauthorized, he.Code)
+			assert.Equal(t, tt.expectedAuth, res.Header().Get(echo.HeaderWWWAuthenticate))
+		})
+	}
+}