[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Inf-IT DAVcl] Caldavzap/mate auth using basic_auth


On 05 May 2014, at 08:22, Dariush Forouher <dariush@xxxxxxxxxxx> wrote:

> Hi Ján!
> 
>>> I'm using apache basic_auth on my webserver that runs Davical and
>>> caldavzap/mate.
>>> 
>>> While caldavzap doesn't seem to be negatively affected by basic_auth,
>>> unfortunately it doesn't take advantage of it either. In theory it could
>>> skip the login screen and jump right into the calendar. Instead one has
>>> to enter his credentials again.
>> 
>> no, basic auth is not related to "fast login" or anything similar. Basic auth =
>> authentication where your username and password is send in the request
>> header without encryption. Another authentication is the Digest auth which
>> uses multiple request/responses and sends your password in hashed form.
> 
> Yes, I'm using Basic Auth over TLS:
> 
> apache config:
> [...]
> AuthType Basic
> AuthName "My secret area"
> [...]
> 
> You're right, it doesn't offer anything like "fast login" (the user
> still has to enter her password, just in a popup window presented by the
> browser).
> 
> What Basic Auth *does* offer is a simple way to achieve single-sign-on
> across wildly different web applications, as the browser will cache the
> credentials during its runtime.

You are partially right :-) ... the problem is that this approach works well
for basic web sites, but not for JavaScript *applications*. If a web application
needs to send username+password directly in the request, then it simply
needs to know the username/password (and it cannot read these from the
browser /there is no API for that/).

> 
>>> "/auth/" shows that caldavzap correctly receives username/password from
>>> the webserver (even when not "logged in" in caldavzap).
>> 
>> No, the auth module cannot return the username/password if you are not
>> logged in. You very probably entered your username + password into
>> the browser authentication window and saved them. Then if you open
>> the /auth/ URL your browser sends the username + password automatically.
> 
> Yes, precisely.
> 
>>> Is there a way to make caldavzap (and *mate) to skip the login-screen in
>>> such a setup?
>> 
>> It looks like you don't understand the reason why the auth module exists.
>> The MAIN reason is to prevent the browser to show the auth popup if you
>> enter invalid username/password into the login windows (because this problem
>> is no solvable in pure JavaScript).
> 
> Yeah, the concept of the auth module is a bit fuzzy to me, and maybe it
> doesn't have anything to do with what I try to achieve (i.e., make
> caldavzap somehow acquire the credentials provided by the browser).
> 
> How I understand caldavzap is that it is running partially as PHP on the
> server and partially in the browser as JS. I don't have much experience
> with JS-based apps like this. Old-school web applications like PHP-based
> ones could easily be modified to make use of the PHP_AUTH_* variables so
> that they would skip their login-screen.

No, CalDavZAP is pure JavaScript application, but it has one major limitation:
if it sends the username+password directly to the *DAV server and these
credentials are invalid, then your browser shows the auth popup window
(because it handles the WWW-Authenticate: response header) what breaks
the consistency of the GUI. There are 2 possible solutions for this problem:

1.) do no send the "WWW-Authenticate:" header if the client is CardDavMATE
or CalDavZAP (X-Client header) ... this approach requires changes on server side

2.) create a "proxy" module, which sends username+password to the
*DAV server and if the authentication is unsuccessful it NOT returns the
"WWW-Authenticate:" header back to the client (=> no auth popup); the
login process (only the login process) then looks like:

		Client => Auth module => Server


> 
> I'd like to do the same with caldavzap. As caldavzap seems to run
> primarily as JS in the browser, it obviously doesn't have access to the
> PHP_AUTH_* environment variables. I just wonder whether you might know a
> way to make this work regardless.

As I mentioned earlier there is no way to get the username/password from
the browser back to the JavaScript. And if you don't know the username, then
you there is no principal URL => it will not work.

What you can try is:

1.) use the globalAccountSettings option with empty ('') username+password and
href option set to principal URL with invalid user part (such as "xxx") and then use
rewrite rules on server side and replace the "xxx" username (from the auth variables)
before the request reaches the *DAV server

2.) change the source code and perform the request to the auth module without 
requiring click to the "Login" button. The reason why there is no such option is that
I really hate it, because of the stupid implementation of the basic auth by browsers
(there is no way to logout without browser restart)


JM


> 
> regards
> Dariush
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Follow-Ups:
Re: [Inf-IT DAVcl] Caldavzap/mate auth using basic_authTobias Mueller <muelli@xxxxxxxxxxxxxx>
Re: [Inf-IT DAVcl] Caldavzap/mate auth using basic_authDariush Forouher <dariush@xxxxxxxxxxx>
References:
[Inf-IT DAVcl] Caldavzap/mate auth using basic_authDariush Forouher <dariush@xxxxxxxxxxx>
Re: [Inf-IT DAVcl] Caldavzap/mate auth using basic_authJán Máté <jan.mate@xxxxxxxxxx>
Re: [Inf-IT DAVcl] Caldavzap/mate auth using basic_authDariush Forouher <dariush@xxxxxxxxxxx>