fix: the basicauth middleware accepts sha-256 hex-en... in config.go

[orbisai0security]

Summary

Fix high severity security issue in middleware/basicauth/config.go.

Vulnerability

Field	Value
ID	V-001
Severity	HIGH
Scanner	multi_agent_ai
Rule	V-001
File	middleware/basicauth/config.go:17

Description: The BasicAuth middleware accepts SHA-256 hex-encoded password hashes as a valid credential format when no algorithm prefix is supplied. SHA-256 is a general-purpose cryptographic hash function, not a password hashing algorithm. It lacks per-user salting, making it trivially vulnerable to precomputed rainbow table attacks. It is also orders of magnitude faster to compute than bcrypt, enabling GPU-accelerated brute-force attacks that can test billions of candidates per second. An attacker who obtains the stored hash through a database breach or configuration file exposure can recover the plaintext password far more quickly than with bcrypt.

Changes

• middleware/basicauth/config.go

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

[welcome]

Thanks for opening this pull request! 🎉 Please check out our contributing guidelines. If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7ec92c78-d7db-4d88-aa3b-5aac826a3326

📥 Commits

Reviewing files that changed from the base of the PR and between 1987a06 and caf0a59.

📒 Files selected for processing (1)

• middleware/basicauth/config.go

---

Walkthrough

This PR tightens BasicAuth password hash validation by removing hex-decoding fallback for SHA-256 hashes and adding explicit error reporting for unsupported formats. The import change and error handling work together to restrict support to bcrypt, SHA512, and SHA256 formats only.

Changes

BasicAuth Hash Format Validation

Layer / File(s)	Summary
Remove SHA-256 hex fallback and tighten format validation middleware/basicauth/config.go	encoding/hex import removed, eliminating hex-based SHA-256 decoding. parseHashedPassword now explicitly rejects unsupported hash formats with an error message, restricting support to bcrypt ($2…), {SHA512}, and {SHA256} only.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• gofiber/fiber#3631: Multi-hash support introduction that this PR refines by tightening SHA-256 hex-decoding fallback and unsupported format handling in parseHashedPassword.
• gofiber/fiber#3634: Related changes to parseHashedPassword supported-hash handling, removing additional unsupported hash prefixes in the same parsing logic.
• gofiber/fiber#4245: Depends on parseHashedPassword logic for verifier building and handles unknown-user cases that rely on the tightened hash format validation.

Suggested labels

☢️ Bug, v3, codex

Suggested reviewers

• sixcolors
• efectn
• ReneWerner87

Poem

🐰 A hex-ade too far, we say with care,
Stripping fallbacks from the air,
SHA-256 now knows its place,
Bcrypt and SHA claim the base,
Format strict, validation true—
BasicAuth, refreshed anew! 🔐

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title is truncated and vague, using unclear phrasing 'accepts sha-256 hex-en...' that doesn't clearly convey the actual change (rejecting unsafe SHA-256 hex encoding).	Revise the title to clearly state the actual fix, such as 'fix: reject SHA-256 hex-encoded passwords in basicauth middleware' or 'fix: remove unsafe SHA-256 hex support from basicauth config'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description addresses the security vulnerability and changes made, but lacks most required sections from the template (Changes introduced checklist, Type of change, Checklist items, and Commit formatting).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the basicauth middleware to remove the default SHA256 password hashing fallback, returning an error for unsupported formats instead. Feedback suggests improving the error message for consistency and security by recommending bcrypt exclusively and removing the now-unused ErrInvalidSHA256PasswordLength error variable.

[gemini-code-assist]

The error message is inconsistent with other errors in this function (which do not use the basicauth: prefix) and uses a Unicode ellipsis (…) instead of standard ASCII. Additionally, since the PR aims to address security concerns with SHA-256, it is better to recommend bcrypt exclusively in the error message, as {SHA256} and {SHA512} are also unsalted and fast hashes that are not recommended for secure password storage. Also, ErrInvalidSHA256PasswordLength is now unused and should be removed.

Suggested change

	return nil, fmt.Errorf("basicauth: unsupported password hash format; use bcrypt ($2…), {SHA512}, or {SHA256}")
	return nil, errors.New("unsupported password hash format; use bcrypt ($2...) for secure password storage")

[gaby]

@ReneWerner87 Can we ban this account. This is the 2nd AI slop PR it submits. Probably a bot.

Rel: #4257