[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Inf-IT DAVcl] Using HTTP Basic Auth


Hi! I just want to share my hack, as it will likely be valuable to others as well. I have a not so uncommon setup: People login via HTTP Basic Authentication (popup window in the webbrowser). The webserver manages the login via LDAP. Once logged in, they have access to several webservices like wiki, file safe (Nextcloud or something), InfCloud and others. So clearly I do not want any login page. The login credentials are known by the webserver and webbrowser. The webbrowser will happily send them again without user interaction. Officially there seems to be no way to login without the login screen, but without hard-coding credentials in the config.js.
Ok. Generally, this is not so easy, because in Javascript you cannot access the browser’s authentication cache—for good reason. But in my case (and maybe in your case, too) the InfCloud files are provided by the same webserver that also serves as the WebDAV server (DAViCal in my case); and also by the same vhost. (This might later be important—see below. I have no special subdomain for DAViCal.) So there are no (additional) security concerns in sending the credentials once again from the browser to the webserver and back again, so I can read them in my Javascript. Here is what I have done:
1) Rename InfCloud’s index.html to index.php.
You should try this out. Maybe you better use another language, if PHP is not available to your webserver. In my case, DAViCal is running on the same webserver, which is written in PHP. So, obviously, I can run PHP scripts.
2) In the lines around 620 in index.php, there are some hidden form fields (<input id="foo" type="hidden" value=""/>. Add two more like this:
<input id="foo-login" type="hidden" value="<?=htmlspecialchars($_SERVER['PHP_AUTH_USER'])?>"/>
<input id="foo-pw" type="hidden" value="<?=htmlspecialchars($_SERVER['PHP_AUTH_PW'])?>"/>
The effect is, that the user gets back an HTML file with their login credentials in cleartext in there. Don’t do this, if this is risky in your setup. In most cases this should not be risky, as the browser knows the credentials anyway; as well as anyone who can read the traffic between the browser and the InfCloud webserver.
3) In the beginning of the index.php, inside the <head></head> section, there are several lines starting with “<script”. Move all these lines to the end of the document, right before the closing </body> tag.
The Javascript needs to be loaded after the rest of the document, because otherwise the Javascript code in the beginning would not have access to the content of the document, i.e. to our credentials.
4) In config.js, enable the globalAccountSettings method (that one with the hard-coded credentials). But instead of really hard-coding some credentials there, you type (for example, if you have DAViCal installed in /cal/ and rewrite the URLs in your webserver config, so you can omit the part “/caldav.php”):
href: 'https://example.com:443/cal/'+document.getElementById('foo-login').value+'/',
userAuth:
{
	userName: document.getElementById('foo-login').value,
	userPassword: document.getElementById('foo-pw').value
},

If both the WebDAV server and the InfCloud files are below the same principal URL (same vhost), then a better solution would be, if InfCloud would simply try to access the WebDAV server without sending any login credentials. The WebDAV server would then reply with 401 and the browser would resend the request with the already-known credentials in the request header. This would be much less of a hack. Maybe somene else wants to try that.
Love
Torsten