HTTP(s) Authentification for RSS feeds/#3733

Covers some rough aspects about http authentification for RSS feeds.

HTTP-Auth with php-cgi

from .htaccess

RewriteEngine on

# PHP (CGI mode) HTTP Authorization with ModRewrite:
RewriteCond %{REQUEST_METHOD} =GET
RewriteCond %{HTTP:Authorization} !^$
RewriteRule ^(.*)$ index.php?go=playground&HTTP_AUTHORIZATION=%{HTTP:Authorization} 

The main issue here, is adding the authentification data to the URLs. Sadly, this does not work as expected, because...

RewriteRule ^(.*)$ $1&HTTP_AUTHORIZATION=%{HTTP:Authorization} 

...truncates a request like index.php?go=XYZ to the index.php. Of course we need the go parameters as well.

This sample code tries to get the http authentification username and login.

from pages/playground.inc.php

    if(!isset(
        $_SERVER['PHP_AUTH_USER']) 
        && 
        !get('HTTP_AUTHORIZATION')
    ){
       header('WWW-Authenticate: Basic realm="blabl"');
       header('HTTP/1.0 401 Unauthorized');
       echo 'Sorry. You need to authenticate';
       exit;
    }
    else {
        $username='';
        $password= '';
        if(isset($_SERVER['PHP_AUTH_USER'])) {
            $user_name=asCleanString($_SERVER['PHP_AUTH_USER']);        
            if(isset($_SERVER['PHP_AUTH_PW'])) {
                $user_name=asCleanString($_SERVER['PHP_AUTH_USER']);        
            }
        }
    
        /**
        * if php runs in CGI-mode we need mod_rewrite to enable HTTP-auth:
        * read more at http://www.php.net/manual/en/features.http-auth.php#70864
        */
        else if(get('HTTP_AUTHORIZATION')) {
            $tmp= base64_decode( substr(get('HTTP_AUTHORIZATION'),6));
            list($username, $password) = explode(':', $tmp);
        }
        print("<br>username='" . $username . "'");       
        print("<br>password='" . $password . "'");
    }




Any ideas on this subject would be very nice.


Another problemπ

is that relative linking of stylesheets sometimes breaks with mod_rewrite. Although all links seem to work just fine and the sourcecode looks ok, styles and images are no loaded. I cannot reproduce this behaviour.




Replacing Authorization in php-cgiπ

from: http://translate.google.com/translate?hl=en&sl=fr&u=http://www.yetanothercommunitysystem.com/yacs/articles/view.php/321&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3D%255BR%25C3%25A9gl%25C3%25A9%255D%2BComment%2Butiliser%2Bl%2527authentification%2BHTTP%2Ben%2BPHP%2Bchez%2BOVH%2B%253F%26hl%3Den%26lr%3D%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26hs%3DW5x
How to make then?
The solution is to select an Apache variable which is actually transmitted to PHP even in mode cgi, and to stick to it the data of authentification transmitted by the navigator (or by the newsreader).

Throw a glance with the directive added to the file .htaccess:

  RewriteEngine one
  RewriteRule. * - [E=REMOTE_USER: % {HTTP: Authorization}, L]

This directive says that, if the module mod_rewrite is available, attribute HTTP Authorization must be placed in the variable $_SERVER [“REMOTE_USER”].

To follow upon the RFC 2617 concerning HTTP Authentication, if the surfer indicates the name “Aladdin” and the password “open sesame”, the user agent (the navigator or the newsreader) must add the following attribute to request HTTP:

  Authorization: BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Thanks to the directive of rewriting put in .htaccess, script PHP carried out will as follows be able accèder with these elements in $_SERVER [“REMOTE_USER”]:

  $_SERVER [“REMOTE_USER”] = BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==



From there, there is no more that to decode the base64, and to separate the name from the password, as indicated in the RFC 2617. You follow me?





3 Comments

guest:possible solution?

8 years ago -

Thanks for your quick reply

Do you think that could be the solution?

http://www.yetanothercommunitysystem.com/yacs/articles/view.php/321

Hope you understand french ;)

Flavio

guest:are you getting somewhere with this?

8 years ago -

I haven't entirely understood exactly what the code does, but I think it stores the username in http-auth rather than in a get variable. Suggesting that, how about we store additional parameters in the username and then we parse the username before using it as authentication.

is that an idea at all? please tell me if I get it wrong

best luck

Flavio

pixtur:some progress already

8 years ago (2. update 8 years ago)

The RSS-Feeds are already working on my locale server. But I found a logical problem in the authentification method of Streber. There is a conflict between using Anonymous User and HTTP_auth. With the current implementation you could only have either way, but that would disable RSS Feeds for all projects to which Anonymous is not a team member.

So it will take some more time to refactor the login/authentification stuff. Maybe I will have some time on weekend, but since my Laptop broke... sigh..