Using authentication crashes server #935
Description
If you use the user and password authentication option and try and login it will crash the web server, if this was used in any capacity for a web server this could be used as a attack vector to crash peoples servers.
Environment Versions
- OS Type: Linux
- Node version:
v24.8.0 - http-server version:
v14.1.1
Steps to reproduce
http-server . --user test --password obiwan
open page and login
Expected result
Logs in and loads page on web server.
...
[2025-11-18T12:20:16.145Z] "GET /" "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0"
[2025-11-18T12:20:20.512Z] "GET /" "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0"
/usr/lib/node_modules/http-server/lib/http-server.js:88
var usernameEqual = secureCompare(options.username.toString(), credentials.name);
^
TypeError: Cannot read properties of undefined (reading 'toString')
at Array. (/usr/lib/node_modules/http-server/lib/http-server.js:88:60)
at dispatch (/usr/lib/node_modules/http-server/node_modules/union/lib/routing-stream.js:119:21)
at Object.onceWrapper (node:events:622:28)
at module.exports.emit (node:events:508:28)
at Array. (/usr/lib/node_modules/http-server/lib/http-server.js:74:11)
at dispatch (/usr/lib/node_modules/http-server/node_modules/union/lib/routing-stream.js:119:21)
at RoutingStream.route (/usr/lib/node_modules/http-server/node_modules/union/lib/routing-stream.js:121:5)
at Object.onceWrapper (node:events:623:26)
at module.exports.emit (node:events:520:35)
at Readable.pipe (node:internal/streams/readable:1058:8)
Node.js v24.8.0
...
Other information
Happens on Arch and Ubuntu based distros