[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Inf-IT DAVcl] Caldavzap/mate auth using basic_auth


Hi Ján!

>> I'm using apache basic_auth on my webserver that runs Davical and
>> caldavzap/mate.
>>
>> While caldavzap doesn't seem to be negatively affected by basic_auth,
>> unfortunately it doesn't take advantage of it either. In theory it could
>> skip the login screen and jump right into the calendar. Instead one has
>> to enter his credentials again.
> 
> no, basic auth is not related to "fast login" or anything similar. Basic auth =
> authentication where your username and password is send in the request
> header without encryption. Another authentication is the Digest auth which
> uses multiple request/responses and sends your password in hashed form.

Yes, I'm using Basic Auth over TLS:

apache config:
[...]
AuthType Basic
AuthName "My secret area"
[...]

You're right, it doesn't offer anything like "fast login" (the user
still has to enter her password, just in a popup window presented by the
browser).

What Basic Auth *does* offer is a simple way to achieve single-sign-on
across wildly different web applications, as the browser will cache the
credentials during its runtime.

>> "/auth/" shows that caldavzap correctly receives username/password from
>> the webserver (even when not "logged in" in caldavzap).
> 
> No, the auth module cannot return the username/password if you are not
> logged in. You very probably entered your username + password into
> the browser authentication window and saved them. Then if you open
> the /auth/ URL your browser sends the username + password automatically.

Yes, precisely.

>> Is there a way to make caldavzap (and *mate) to skip the login-screen in
>> such a setup?
> 
> It looks like you don't understand the reason why the auth module exists.
> The MAIN reason is to prevent the browser to show the auth popup if you
> enter invalid username/password into the login windows (because this problem
> is no solvable in pure JavaScript).

Yeah, the concept of the auth module is a bit fuzzy to me, and maybe it
doesn't have anything to do with what I try to achieve (i.e., make
caldavzap somehow acquire the credentials provided by the browser).

How I understand caldavzap is that it is running partially as PHP on the
server and partially in the browser as JS. I don't have much experience
with JS-based apps like this. Old-school web applications like PHP-based
ones could easily be modified to make use of the PHP_AUTH_* variables so
that they would skip their login-screen.

I'd like to do the same with caldavzap. As caldavzap seems to run
primarily as JS in the browser, it obviously doesn't have access to the
PHP_AUTH_* environment variables. I just wonder whether you might know a
way to make this work regardless.

regards
Dariush

Attachment: signature.asc
Description: OpenPGP digital signature


Follow-Ups:
Re: [Inf-IT DAVcl] Caldavzap/mate auth using basic_authJán Máté <jan.mate@xxxxxxxxxx>
References:
[Inf-IT DAVcl] Caldavzap/mate auth using basic_authDariush Forouher <dariush@xxxxxxxxxxx>
Re: [Inf-IT DAVcl] Caldavzap/mate auth using basic_authJán Máté <jan.mate@xxxxxxxxxx>