Issue #913 resolved

Improvements to basic auth

created an issue

The current implementation of HTTP Basic Auth suffers from a few defects:

  • The API is contorted. The {{{users}}} arg is either:
  1. a dict of the form: {username: password}, or

  2. a callable returning a dict, or

  3. a callable returning a password

The third of these is not documented.

  • It only works easily with plaintext passwords, or MD5 hashes of passwords. If you want to use some other password storage method, e.g. MD5 hashes of salt + password, you have to provide a separate {{{ encrypt() }}} function which basic_auth calls after obtaining the password from the {{{ users }}} thing. Then basic_auth performs the comparison itself. This is silly. Note that the {{{ encrypt() }}} function would have to read the same credentials store that the {{{ users }}} callable did to obtain the salt.

  • The code is intertwined with code for Digest auth, although the two authentication methods have very little in common. As a consequence the Digest auth API suffers. (The flaws in Digest auth implementation and API will be discussed in a separate ticket).

I have written another implementation of Basic auth which is intended to replace the current one found in lib/ and lib/ The main differences are:

  • The code is completely separate from code for Digest auth. And, it is only 25 lines.

  • Instead of an overloaded 'users' argument, and an optional 'encrypt' argument, you pass it a 'checkpassword' function which takes a realm, user, and password as arguments and returns a boolean indication of authentication success or failure.

Comments (2)

  1. Log in to comment