Problem/Motivation
As stated in #2856713-49: Authentication plugins and HTTP authentication, to be able to request a server behind an HTTP Password protection, we need to provide a couple username/password (maybe also with optional support on Key module) on the remote config entity.
And as regarding the basic auth authentication method, in practice, it is not possible to provide a different couple username/password for HTTP Password and basic auth, we need to take this into account by implementing a #state for example and overriding submitted values programatically, with priority to the basic auth plugin.
Maybe the Shield module will help for manual and automated tests.
Comment | File | Size | Author |
---|---|---|---|
#16 | interdiff-3167422-10-16.txt | 3.29 KB | Grimreaper |
#16 | entity_share-http_pass_support-3167422-16.patch | 8.12 KB | Grimreaper |
#10 | interdiff_9-10.txt | 3 KB | yarik.lutsiuk |
#10 | 3167422-http-pass-support-10.patch | 7.38 KB | yarik.lutsiuk |
#9 | 3167422-http-pass-support-9.patch | 4.37 KB | yarik.lutsiuk |
Comments
Comment #2
yarik.lutsiuk CreditAttribution: yarik.lutsiuk at Smile commentedComment #3
yarik.lutsiuk CreditAttribution: yarik.lutsiuk at Smile commentedComment #4
yarik.lutsiuk CreditAttribution: yarik.lutsiuk at Smile commentedComment #6
GrimreaperComment #7
GrimreaperHello,
@yarik.lutsiuk, here is some context of the notification emails you may have received :)
@osman_seferov made an internal demonstration last week about a monitoring platform (I have added you as guest so you can have access to the code).
During the demonstration, there is a part that made me think of this issue. And we may inspire ourselves from this code to go beyond this issue's original scope. Especially the possibility to set a header name and value.
In the monitoring tool code. there is a field "http_auth_type" with 3 possible values:
And that made me think of a new plugin type besides the authorization plugins. With 3 plugins: free, basic auth (this issue scope) and header.
In the current implementation this is not a plugin system but hidden fields depending on the value you select. And we need to see how to integrate that properly with Entity Share, because there is JSON:API HTTP client (getJsonApiClient()) and a HTTP client (getClient()) to prepare.
We can have a call if you have questions and/or want to discuss the pertinence of this idea.
Also in the case we switch to a plugin system, we may forget the "#states" depending on the authorization plugin selected, and only put a description saying that it can interfere.
Cheers,
Comment #8
GrimreaperAdding a link to the shield module in the issue summary for convenience.
Comment #9
yarik.lutsiuk CreditAttribution: yarik.lutsiuk at Smile commentedHello,
added patch with header plugin, will add http password. WIP.
Cheers,
Comment #10
yarik.lutsiuk CreditAttribution: yarik.lutsiuk at Smile commentedAdded HTTP password protection only to anonymous user plugin,
because other plugins uses Authorization header too
Cheers,
Comment #11
yarik.lutsiuk CreditAttribution: yarik.lutsiuk at Smile commentedalso, after its will be merged, need to update
https://www.drupal.org/docs/contributed-modules/entity-share/authorizati...
and add new for Header plugin.
Comment #12
GrimreaperComment #13
GrimreaperHello,
Thanks @yarik.lutsiuk for the patch. Great work!
And nice mentioning the documentation page to not forget to edit it :)
Finally this is much simpler as authentication methods already use the authentication header.
This is my review, as it is small stuff, I can do it before merging, if I can get your opinion that is ok :):
I think this comment, can just be removed.
Is it a copy/past mistake? The Content-type header is only for JSONApiClient. Or I may be missing something?
In addition to the review, about the changes in the Anonymous plugin. Finally it is equivalent to the Basic Auth plugin (If I am missing something, please correct me). So I think in the Anonymous plugin, we should only add a message saying that if the website is behind HTTP Password protection, the Basic Auth module should be used instead, and maybe even with that it is not guaranteed to work.
Cheers,
Comment #14
yarik.lutsiuk CreditAttribution: yarik.lutsiuk at Smile commentedHello,
1 and 2, yes my bad, can be removed.
Not fully, because we authenticate as user via 'login' form,
and i'd added comment for Anon plugin credentials,
'Leave empty if Server website is not protected via HTTP Password.'
Cheers,
Comment #15
GrimreaperComment #16
GrimreaperDiscussed offline with @yarik.lutsiuk, added a restriction on the key type to be like Basic Auth on Anonymous HTTP Password support.
Comment #18
GrimreaperComment #19
GrimreaperAnd I forgot to update the documentation...
Comment #20
Grimreaper