[squeak-dev] https & woocommerce; basicAuth etc?

tim Rowledge tim at rowledge.org
Tue Oct 9 00:41:39 UTC 2018 


> On 2018-10-08, at 3:01 PM, Tobias Pape <Das.Linux at gmx.de> wrote:
> 
> Hi Ron,
> 

Ron? Who Ron? Not me... ;-)

> 
> So we are a bit wrong, but the server is wronger™. Not sending the header but making 401 is baad.
> Strangely, their current code looks correct-ish. What version does that have? because: 
> 
> 	https://github.com/woocommerce/woocommerce/commit/98f4f2110425e96438a6230efedcfb88945d89ad
> 
> apparently introduced the header in v3.5 or so...

Now that is weird. I know the WC plugin was updated just a week or so ago but it is apparently only 3.4.4 And to make it more interesting that commit was dated in 2016! I'll get sysadmin to update *again*.


>> The practical issue is that WooCommerce is a very common thing and unless I've managed to mess something up (certainly not impossible in this case) it simply doesn't do what it is supposed to. There's quite a lot about this issue around the web, for what it's worth.
> 
> Yea, apparently it is not easy to configure front-servers (Aka reverse-proxys) to correctly pass headers around.
> It seems to be so common that they include things like that in the documentation:
> 	"Occasionally some servers may not parse the Authorization header correctly (if you see a “Consumer key is missing” error when authenticating over SSL, you have a server issue). In this case, you may provide the consumer key/secret as query string parameters instead."
> 	(https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication-over-https)

Yup, it annoys me on a regular basis over the recent past.

> Yep. Entry vocabulary. Its especially strange in this rest-api setting (wth is a Bearer?)

I can only think it is something to do with Winnie the Pooh.


>>> However, proactively sending Authorization-headers is a grave security issue. It Should Not Be Done.
>> 
>> I'm interested; why do you say this?
> 
> Because its like running around with your credit card and putting it in every slot available _just_ because you know one of the machines you come by you want to buy something from.

Oh, I get your point. Promiscuously sticking your bits in any available socket may get you an infection.


tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
Useful random insult:- Got into the gene pool while the lifeguard wasn't watching.

More information about the Squeak-dev mailing list