From 1d313bdd19bdf2e7544e293fb7dbfc29a847dc5d Mon Sep 17 00:00:00 2001
From: Paul Melnikow <github@paulmelnikow.com>
Date: Sun, 3 Dec 2017 15:07:58 -0500
Subject: [PATCH] Github admin endpoint: use basic auth password instead of
 username (#1317)

---
 lib/github-auth.js | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/github-auth.js b/lib/github-auth.js
index 98bd6bfd68..0e549e74ed 100644
--- a/lib/github-auth.js
+++ b/lib/github-auth.js
@@ -120,10 +120,14 @@ function setRoutes(server) {
   // - Ensure tokens have been propagated to all servers
   // - Debug GitHub badge failures
   //
-  // The admin can authenticate with HTTP Basic Auth, with the shields secret
-  // in the username and an empty/any password.
+  // The admin can authenticate with HTTP Basic Auth, with an empty/any
+  // username and the shields secret in the password and an empty/any
+  // password.
+  //
+  // e.g.
+  // curl -u ':very-very-secret' 'https://example.com/$github-auth/tokens'
   server.ajax.on('github-auth/tokens', (json, end, ask) => {
-    if (! constEq(ask.username, serverSecrets.shieldsSecret)) {
+    if (! constEq(ask.password, serverSecrets.shieldsSecret)) {
       // An unknown entity tries to connect. Let the connection linger for a minute.
       return setTimeout(function() { end('Invalid secret.'); }, 10000);
     }