Add require login bypass tokens feature #222
Conversation
Intended for use with Lightouse / Qualys to check performance of non-prod envs.
|
What's the chances of having this backported to v10 branch? 🙇🏼♂️ |
|
@ntwb its not a bug fix so I think your best option is to copy the functionality for now |
|
|
||
| use Altis; | ||
|
|
||
| const QUERY_ARG = 'altis-auth'; |
There was a problem hiding this comment.
This should ideally be passed through the Authorization header rather than as a query parameter, as the query parameter will end up in server logs/etc. Do the tools this was created for support this?
There was a problem hiding this comment.
Not sure, @mattheu ?
|
|
||
| if ( | ||
| isset( $_GET[ QUERY_ARG ] ) && | ||
| in_array( $_GET[ QUERY_ARG ], array_values( $tokens ), true ) |
There was a problem hiding this comment.
As a security feature, this needs to use constant-time comparison of strings to avoid timing attacks; ideally hash_equals()
|
|
||
| ### Bypass Tokens | ||
|
|
||
| Bypass tokens are a way to allow tools like Lighthouse or Qualys access to development or staging environments using a unique query string token. This lets you check performance insights on non-production environments for non-logged in users so you can see the experience most site visitors will get. |
There was a problem hiding this comment.
Not sure what "Qualys" is here, is that referencing SSL Labs? If so, authentication isn't necessary for that in any case.
Intended for use with Lightouse / Qualys to check performance of non-prod envs.