[squeak-dev] https & woocommerce; basicAuth etc?
Tobias Pape
Das.Linux at gmx.de
Tue Oct 9 08:10:58 UTC 2018
Hi,
> On 09.10.2018, at 02:41, tim Rowledge <tim at rowledge.org> wrote:
>
>
>
>> On 2018-10-08, at 3:01 PM, Tobias Pape <Das.Linux at gmx.de> wrote:
>>
>> Hi Ron,
>>
>
> Ron? Who Ron? Not me... ;-)
>
Yea sorry tim. I recently wrote to ron.
Maybe prophecy? Maybe you should chat with Ron? :D
>>
>> So we are a bit wrong, but the server is wronger™. Not sending the header but making 401 is baad.
>> Strangely, their current code looks correct-ish. What version does that have? because:
>>
>> https://github.com/woocommerce/woocommerce/commit/98f4f2110425e96438a6230efedcfb88945d89ad
>>
>> apparently introduced the header in v3.5 or so...
>
> Now that is weird. I know the WC plugin was updated just a week or so ago but it is apparently only 3.4.4 And to make it more interesting that commit was dated in 2016! I'll get sysadmin to update *again*.
Versions are sooo fun.
>
>
>>> The practical issue is that WooCommerce is a very common thing and unless I've managed to mess something up (certainly not impossible in this case) it simply doesn't do what it is supposed to. There's quite a lot about this issue around the web, for what it's worth.
>>
>> Yea, apparently it is not easy to configure front-servers (Aka reverse-proxys) to correctly pass headers around.
>> It seems to be so common that they include things like that in the documentation:
>> "Occasionally some servers may not parse the Authorization header correctly (if you see a “Consumer key is missing” error when authenticating over SSL, you have a server issue). In this case, you may provide the consumer key/secret as query string parameters instead."
>> (https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication-over-https)
>
> Yup, it annoys me on a regular basis over the recent past.
>
>> Yep. Entry vocabulary. Its especially strange in this rest-api setting (wth is a Bearer?)
>
> I can only think it is something to do with Winnie the Pooh.
That would be more fund than https://tools.ietf.org/html/rfc6750 actually.
>
>
>>>> However, proactively sending Authorization-headers is a grave security issue. It Should Not Be Done.
>>>
>>> I'm interested; why do you say this?
>>
>> Because its like running around with your credit card and putting it in every slot available _just_ because you know one of the machines you come by you want to buy something from.
>
> Oh, I get your point. Promiscuously sticking your bits in any available socket may get you an infection
Well said.
Best regards
-Tobias
More information about the Squeak-dev
mailing list
|