From 539d00729c75657c35956a1536672d4d7d8a73fd Mon Sep 17 00:00:00 2001
From: Richard Hatherall <richard@appercept.com>
Date: Tue, 3 Mar 2026 21:13:44 +0000
Subject: [PATCH] fix: Use standard Base64 encoding for Basic Auth (RFC 7617)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`urlsafe_encode64` produces URL-safe Base64 (`+` → `-`, `/` → `_`),
which is incorrect for HTTP Basic Authentication. Use `strict_encode64`
to produce standard Base64 without newlines, as required by RFC 7617.
---
 lib/cognito_idp/client.rb       | 2 +-
 spec/cognito_idp/client_spec.rb | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/cognito_idp/client.rb b/lib/cognito_idp/client.rb
index e27ae25..4e7b848 100644
--- a/lib/cognito_idp/client.rb
+++ b/lib/cognito_idp/client.rb
@@ -99,7 +99,7 @@ def basic_authorization_headers
       return if client_secret.nil?
 
       client_id_and_secret = "#{client_id}:#{client_secret}"
-      {"Authorization" => "Basic #{Base64.urlsafe_encode64(client_id_and_secret)}"}
+      {"Authorization" => "Basic #{Base64.strict_encode64(client_id_and_secret)}"}
     end
   end
 end
diff --git a/spec/cognito_idp/client_spec.rb b/spec/cognito_idp/client_spec.rb
index f2474e6..55b8405 100644
--- a/spec/cognito_idp/client_spec.rb
+++ b/spec/cognito_idp/client_spec.rb
@@ -102,7 +102,7 @@
           Faraday::Adapter::Test::Stubs.new do |stub|
             stub.post("https://auth.example.com/oauth2/token") do |env|
               id_and_secret = "#{client_id}:#{client_secret}"
-              basic_auth = "Basic #{Base64.urlsafe_encode64(id_and_secret)}"
+              basic_auth = "Basic #{Base64.strict_encode64(id_and_secret)}"
               fail "Basic Authorization is missing." unless env.request_headers["Authorization"] == basic_auth
               [200, {"Content-Type" => "application/json"}, response_payload.to_json]
             end
@@ -204,7 +204,7 @@
         Faraday::Adapter::Test::Stubs.new do |stub|
           stub.post("https://auth.example.com/oauth2/token", params_matcher) do |env|
             id_and_secret = "#{client_id}:#{client_secret}"
-            basic_auth = "Basic #{Base64.urlsafe_encode64(id_and_secret)}"
+            basic_auth = "Basic #{Base64.strict_encode64(id_and_secret)}"
             fail "Basic Authorization is missing." unless env.request_headers["Authorization"] == basic_auth
             [200, {"Content-Type" => "application/json"}, response_payload.to_json]
           end
@@ -325,7 +325,7 @@
           Faraday::Adapter::Test::Stubs.new do |stub|
             stub.post("https://auth.example.com/oauth2/token") do |env|
               id_and_secret = "#{client_id}:#{client_secret}"
-              basic_auth = "Basic #{Base64.urlsafe_encode64(id_and_secret)}"
+              basic_auth = "Basic #{Base64.strict_encode64(id_and_secret)}"
               fail "Basic Authorization is missing." unless env.request_headers["Authorization"] == basic_auth
               [200, {"Content-Type" => "application/json"}, response_payload.to_json]
             end
@@ -373,7 +373,7 @@
         Faraday::Adapter::Test::Stubs.new do |stub|
           stub.post("https://auth.example.com/oauth2/token", params_matcher) do |env|
             id_and_secret = "#{client_id}:#{client_secret}"
-            basic_auth = "Basic #{Base64.urlsafe_encode64(id_and_secret)}"
+            basic_auth = "Basic #{Base64.strict_encode64(id_and_secret)}"
             fail "Basic Authorization is missing." unless env.request_headers["Authorization"] == basic_auth
             [200, {"Content-Type" => "application/json"}, response_payload.to_json]
           end