neo4j enterprise 3.0.6 base64-encoded credentials are not accepted

Question

I'm building a Neo4j cluster on AWS using Neo4j Enterprise 3.0.6 and am currently trying to connect from a HAProxy instance to a Neo4j instance. For testing purposes I curl from the HAProxy instance to the Neo4j instance. Using

curl --user "neo4j:password" http://10.0.0.181:7474/user/neo4j

I get a proper response:

{
  "password_change_required" : false,
  "password_change" : "http://10.0.0.181:7474/user/neo4j/password",
  "username" : "neo4j"
}

However, with basic authorization using

curl -H "Authorization: Basic bmVvNGo6cGFzc3dvcmQK" http://10.0.0.181:7474/user/neo4j

Neo4j responds with

{
  "errors" : [ {
  "code" : "Neo.ClientError.Security.Unauthorized",
  "message" : "Invalid username or password."
  }
}

On an older version of Neo4j (2.3.3, I guess) the latter scheme worked as expected. I'm a little lost here. All the more since providing the credentials as base64-encoded string with a Basic Authentication header is explicitly described in the documentation. What do I miss here?

(I have triple checked that the base64 encoding is correct: Decoding the string gives exactly the credentials that should be sent.)

Answer 1

bmVvNGo6cGFzc3dvcmQK is the Base64 encoding of neo4j:password\n, whereas bmVvNGo6cGFzc3dvcmQ= is the real Base64 encoding of neo4j:password, without any trailing line return. You can observe it when running curl in verbose mode:

$ curl -v --user "neo4j:password" localhost:7474
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 7474 (#0)
* Server auth using Basic with user 'neo4j'
> GET / HTTP/1.1
> Host: localhost:7474
> Authorization: Basic bmVvNGo6cGFzc3dvcmQ=
> User-Agent: curl/7.43.0
> Accept: */*
>
< ...

Previous versions of Neo4j probably trimmed the decoded string.

To encode the credentials correctly, you can use:

$ echo -n neo4j:password | base64
bmVvNGo6cGFzc3dvcmQ=

or

$ printf neo4j:password | base64
bmVvNGo6cGFzc3dvcmQ=