Description
While finding an answer to a question regarding the max allowed webserver password length in Tasmota (arendst/Tasmota#9587) I stumbled across a hard limit of 47 characters.
The HTTP Basic Authorization userid password as used in ESP8266WebServer-impl.h uses function base64_encode_chars to encode the userid:password. This function inserts linefeeds/carriage returns every 72 encoded characters as defined in cencode.h (#define BASE64_CHARS_PER_LINE 72).
In the case of Tasmota, where the userid is fixed set to admin, this allows for 47 characters in the password. Any more characters will insert a linefeed which isn't available in the HTTP request header.
As an example if a user uses a password of 12345678901234567890123456789012345678901234567890 it results in an base64 encoded string like
YWRtaW46MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4
OTA=
so with a linefeed after ..Njc4. The HTTP request header contains:
Authorization: Basic YWRtaW46MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
The compare using function authReq.equalsConstantTime(encoded) will fail caused by the inserted linefeed.
As a possible solution I suggest to replace function authReq.equalsConstantTime(encoded) by a function discarding any control characters in the base64 encoded string before comparing.
EDIT: It works fine on the ESP32 as there the linefeed is not inserted in the base64 encoded data.