[squeak-dev] https & woocommerce; basicAuth etc?

Tobias Pape Das.Linux at gmx.de
Tue Oct 9 08:10:58 UTC 2018 

Hi,

> On 09.10.2018, at 02:41, tim Rowledge <tim at rowledge.org> wrote:
> 
> 
> 
>> On 2018-10-08, at 3:01 PM, Tobias Pape <Das.Linux at gmx.de> wrote:
>> 
>> Hi Ron,
>> 
> 
> Ron? Who Ron? Not me... ;-)
> 

Yea sorry tim. I recently wrote to ron.
Maybe prophecy? Maybe you should chat with Ron? :D

>> 
>> So we are a bit wrong, but the server is wronger™. Not sending the header but making 401 is baad.
>> Strangely, their current code looks correct-ish. What version does that have? because: 
>> 
>> 	https://github.com/woocommerce/woocommerce/commit/98f4f2110425e96438a6230efedcfb88945d89ad
>> 
>> apparently introduced the header in v3.5 or so...
> 
> Now that is weird. I know the WC plugin was updated just a week or so ago but it is apparently only 3.4.4 And to make it more interesting that commit was dated in 2016! I'll get sysadmin to update *again*.

Versions are sooo fun.

> 
> 
>>> The practical issue is that WooCommerce is a very common thing and unless I've managed to mess something up (certainly not impossible in this case) it simply doesn't do what it is supposed to. There's quite a lot about this issue around the web, for what it's worth.
>> 
>> Yea, apparently it is not easy to configure front-servers (Aka reverse-proxys) to correctly pass headers around.
>> It seems to be so common that they include things like that in the documentation:
>> 	"Occasionally some servers may not parse the Authorization header correctly (if you see a “Consumer key is missing” error when authenticating over SSL, you have a server issue). In this case, you may provide the consumer key/secret as query string parameters instead."
>> 	(https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication-over-https)
> 
> Yup, it annoys me on a regular basis over the recent past.
> 
>> Yep. Entry vocabulary. Its especially strange in this rest-api setting (wth is a Bearer?)
> 
> I can only think it is something to do with Winnie the Pooh.

That would be more fund than https://tools.ietf.org/html/rfc6750 actually.

> 
> 
>>>> However, proactively sending Authorization-headers is a grave security issue. It Should Not Be Done.
>>> 
>>> I'm interested; why do you say this?
>> 
>> Because its like running around with your credit card and putting it in every slot available _just_ because you know one of the machines you come by you want to buy something from.
> 
> Oh, I get your point. Promiscuously sticking your bits in any available socket may get you an infection
Well said.

Best regards
	-Tobias

More information about the Squeak-dev mailing list