helpers\WebClient: Add support for Digest authentication method #1487
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We use curl Guzzle backend to make HTTP requests. When credentials are given in the URI, curl will send them in the request using `Basic` authentication method. Since the `Basic` method is deprecated, some servers require e.g. `Digest` instead. selfoss did not support that. Let’s make selfoss use any HTTP authentication method the server offers in the `WWW-Authenticate` header using the `CURLAUTH_ANY` flag. This will make curl perform one extra GET request (only when credentials are provided) to obtain the authentication challenge. One downside is that authentication will no longer be attempted if the challenge response does not return `401 Unauthorized` and `WWW-Authenticate` header. I can imagine a website that would return `200 OK` and a feed only containing public data when no credentials are provided, private data only being included when the request contains `Authorization` header with credentials for the unadvertised `Basic` auth. This patch would silently change such feeds to the public mode. We are using `CURLAUTH_ANY` instead of `CURLAUTH_ANYSAFE` since some sites still only support `Basic` auth. Either flag will still choose the best available authentication method so it will be strictly better than the default `CURLAUTH_BASIC`.
✅ Deploy Preview for selfoss canceled.
|
cmm
added a commit
to cmm/selfoss
that referenced
this pull request
Jul 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We use curl Guzzle backend to make HTTP requests. When credentials are given in the URI, curl will send them in the request using
Basicauthentication method. Since theBasicmethod is deprecated, some servers require e.g.Digestinstead. selfoss did not support that.Let’s make selfoss use any HTTP authentication method the server offers in the
WWW-Authenticateheader using theCURLAUTH_ANYflag. This will make curl perform one extra GET request (only when credentials are provided) to obtain the authentication challenge.One downside is that authentication will no longer be attempted if the challenge response does not return
401 UnauthorizedandWWW-Authenticateheader. I can imagine a website that would return200 OKand a feed only containing public data when no credentials are provided, private data only being included when the request containsAuthorizationheader with credentials for the unadvertisedBasicauth. This patch would silently change such feeds to the public mode.We are using
CURLAUTH_ANYinstead ofCURLAUTH_ANYSAFEsince some sites still only supportBasicauth. Either flag will still choose the best available authentication method so it will be strictly better than the defaultCURLAUTH_BASIC.Fixes: #1486