I would like to decrypt the Username and Password which was encrypted using basic authentication.
In my client application I'm having a list of files. if the user wants to download, they will click the anchor link which points to a PHP file with param id (i.e., fileId) and token.
I having a client side anchor tag like
<a href="http://localhost:8080/management/download.php?id=1&token=YmFsYTphYWFhYWFhYWFh">
download
</a>
The token was created using the following javascript code
const token = window.btoa(username + ':' + password)
File: download.php
$fileId = $_GET['id'];
$token = $_GET['token'];
$filePath = getFileById($fileId);
if (file_exists($filePath)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($filePath).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filePath));
readfile($filePath);
exit;
}
I tried to get the Username and Password from the default $_SERVER['PHP_AUTH_USER'] but I failed to get the information.
Kindly assist me how to decrypt the Username and Password from the token.
Use base64_decode() in PHP to get the username and password separated by :.
<?php
$decoded = base64_decode($_GET['token']);
list($username,$password) = explode(":",$decoded);
echo $username," ",$password;
Demo: https://3v4l.org/KKIlR
Also, this doesn't seem to be secure enough to send a password(not sure what password depicts here) as is in the GET parameter. It's better to instead send a header like Authorization: Basic YmFsYTphYWFhYWFhYWFh where it's actually some client ID and client secret base-64 encoded.