Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

helpers\WebClient: Add support for Digest authentication method #1487

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jtojnar
Copy link
Member

@jtojnar jtojnar commented Jul 3, 2024

We use curl Guzzle backend to make HTTP requests. When credentials are given in the URI, curl will send them in the request using Basic authentication method. Since the Basic method is deprecated, some servers require e.g. Digest instead. selfoss did not support that.

Let’s make selfoss use any HTTP authentication method the server offers in the WWW-Authenticate header using the CURLAUTH_ANY flag. This will make curl perform one extra GET request (only when credentials are provided) to obtain the authentication challenge.

One downside is that authentication will no longer be attempted if the challenge response does not return 401 Unauthorized and WWW-Authenticate header. I can imagine a website that would return 200 OK and a feed only containing public data when no credentials are provided, private data only being included when the request contains Authorization header with credentials for the unadvertised Basic auth. This patch would silently change such feeds to the public mode.

We are using CURLAUTH_ANY instead of CURLAUTH_ANYSAFE since some sites still only support Basic auth. Either flag will still choose the best available authentication method so it will be strictly better than the default CURLAUTH_BASIC.

Fixes: #1486

We use curl Guzzle backend to make HTTP requests. When credentials are given in the URI, curl will send them in the request using `Basic` authentication method. Since the `Basic` method is deprecated, some servers require e.g. `Digest` instead. selfoss did not support that.

Let’s make selfoss use any HTTP authentication method the server offers in the `WWW-Authenticate` header using the `CURLAUTH_ANY` flag. This will make curl perform one extra GET request (only when credentials are provided) to obtain the authentication challenge.

One downside is that authentication will no longer be attempted if the challenge response does not return `401 Unauthorized` and `WWW-Authenticate` header. I can imagine a website that would return `200 OK` and a feed only containing public data when no credentials are provided, private data only being included when the request contains `Authorization` header with credentials for the unadvertised `Basic` auth. This patch would silently change such feeds to the public mode.

We are using `CURLAUTH_ANY` instead of `CURLAUTH_ANYSAFE` since some sites still only support `Basic` auth. Either flag will still choose the best available authentication method so it will be strictly better than the default `CURLAUTH_BASIC`.
Copy link

netlify bot commented Jul 3, 2024

Deploy Preview for selfoss canceled.

Name Link
🔨 Latest commit 014b880
🔍 Latest deploy log https://app.netlify.com/sites/selfoss/deploys/668510df1c497300084b6d16

cmm added a commit to cmm/selfoss that referenced this pull request Jul 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

is digest authentication supposed to work?
1 participant