[squeak-dev] https & woocommerce; basicAuth etc?

tim Rowledge tim at rowledge.org
Mon Oct 8 21:05:53 UTC 2018



> On 2018-10-08, at 3:04 AM, Tobias Pape <Das.Linux at gmx.de> wrote:
> 
> 
> Just for completeness sake, If your server gives you a 401 but Not a WWW-Authenticat, they're doing it wrong:
> 
> 	https://tools.ietf.org/html/rfc7235#section-4.1
> 	"A server generating a 401 (Unauthorized) response MUST send a
> 	 WWW-Authenticate header field containing at least one challenge"
> 
> On the other hand, the 401-before-Authenticat is the norm but not RFC required:
> 
> 	https://tools.ietf.org/html/rfc7235#section-4.2
> 	"The "Authorization" header field allows a user agent to authenticate
> 	itself with an origin server -- usually, but not necessarily, after
> 	receiving a 401 (Unauthorized) response. "

So it must do it but it is optional? Sounds about right for 'standards' {insert obligatory xkcd reference url} on the web.

The practical issue is that WooCommerce is a very common thing and unless I've managed to mess something up (certainly not impossible in this case) it simply doesn't do what it is supposed to. There's quite a lot about this issue around the web, for what it's worth.

For an example, using the Postman application to avoid any possible problems in my squeak - 
do a GET with https://astropicase.com/wp-json/wc/v2/products and no auth.
The response body is 
{"code":"woocommerce_rest_cannot_view","message":"Sorry, you cannot list resources.","data":{"status":401}}
and the listing of headers has no mention of any WWW-Authenticate or similar.


Interestingly some woocommerce documentation writes about doing the right thing -
http://woocommerce.wp-a2z.org/oik_api/wc_api_authenticationexit_with_unauthorized_headers/
but I don't see anything that makes me understand why it isn't apparently being used.

Perhaps there is some configuration setting buried in there  - but one of the classic problems is the way that any area of endeavour ends up with its own idioms and assumed knowledge and until you know a lot of it you don't know enough to be able to ask intelligent questions to help you get to know any of it. So I'm pretty lost in much of this and I really don't want to be an expert anyway since there is already way too much to do.

> However, proactively sending Authorization-headers is a grave security issue. It Should Not Be Done.

I'm interested; why do you say this?


tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
Rules for Optimization: 1. Don't; 2. (for experts only) Don't Yet






More information about the Squeak-dev mailing list