Re: [fossil-users] Authentication via URL
On Mon, Nov 21, 2011 at 11:28 PM, Jeremy Cowgar jer...@cowgar.com wrote: http://user:pass@... does not work. That is just another way of encoding for HTTP Basic Authentication which fossil does not support, and cannot support w/CGI. Aha - i see now that it works for cloning, but apparently not the HTTP interface. i wasn't aware of that. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
That is interesting that it works for cloning. I was under the impression that a CGI application could not even retrieve that information. I will look into the clone code and see how it is retrieved. Thanks for reminding me of that. Jeremy From: Stephan Beal Sent: Tuesday, November 22, 2011 2:32 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Mon, Nov 21, 2011 at 11:28 PM, Jeremy Cowgar jer...@cowgar.com wrote: http://user:pass/@... does not work. That is just another way of encoding for HTTP Basic Authentication which fossil does not support, and cannot support w/CGI. Aha - i see now that it works for cloning, but apparently not the HTTP interface. i wasn't aware of that. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
It works because it's not sent as HTTP Basic when cloning. Fossil sends it in it's own 'Card' format. The password is sent hashed and nonced (though I forget the exact details of the exchange.) Which means it's actually a bit better than Basic authentication. -B On Tue, Nov 22, 2011 at 11:38 AM, Jeremy Cowgar jer...@cowgar.com wrote: That is interesting that it works for cloning. I was under the impression that a CGI application could not even retrieve that information. I will look into the clone code and see how it is retrieved. Thanks for reminding me of that. Jeremy From: Stephan Beal Sent: Tuesday, November 22, 2011 2:32 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Mon, Nov 21, 2011 at 11:28 PM, Jeremy Cowgar jer...@cowgar.com wrote: http://user:pass/@... does not work. That is just another way of encoding for HTTP Basic Authentication which fossil does not support, and cannot support w/CGI. Aha - i see now that it works for cloning, but apparently not the HTTP interface. i wasn't aware of that. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
So we are back to square one on accessing an RSS feed that is protected via a normal RSS reader. There may only be two solutions to this problem: 1. Use allow authuser=johndoeauthpass=secret as a URL parameter 2. Forget accessing secured RSS feeds Any other ideas? Jeremy -Original Message- From: Brian Smith Sent: Tuesday, November 22, 2011 3:10 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL It works because it's not sent as HTTP Basic when cloning. Fossil sends it in it's own 'Card' format. The password is sent hashed and nonced (though I forget the exact details of the exchange.) Which means it's actually a bit better than Basic authentication. -B On Tue, Nov 22, 2011 at 11:38 AM, Jeremy Cowgar jer...@cowgar.com wrote: That is interesting that it works for cloning. I was under the impression that a CGI application could not even retrieve that information. I will look into the clone code and see how it is retrieved. Thanks for reminding me of that. Jeremy From: Stephan Beal Sent: Tuesday, November 22, 2011 2:32 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Mon, Nov 21, 2011 at 11:28 PM, Jeremy Cowgar jer...@cowgar.com wrote: http://user:pass/@... does not work. That is just another way of encoding for HTTP Basic Authentication which fossil does not support, and cannot support w/CGI. Aha - i see now that it works for cloning, but apparently not the HTTP interface. i wasn't aware of that. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Nov 22, 2011, at 9:32 PM, Jeremy Cowgar wrote: So we are back to square one on accessing an RSS feed that is protected via a normal RSS reader. There may only be two solutions to this problem: 1. Use allow authuser=johndoeauthpass=secret as a URL parameter 2. Forget accessing secured RSS feeds Any other ideas? Try a smarter RSS reader? I remember having Opera read a few protected feeds... Kind regards, Remigiusz Modrzejewski ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Tue, Nov 22, 2011 at 9:32 PM, Jeremy Cowgar jer...@cowgar.com wrote: 1. Use allow authuser=johndoeauthpass=**secret as a URL parameter 2. Forget accessing secured RSS feeds Any other ideas? In theory (though i have not tested it), you can pass the login cookie as a GET parameter, as fossil internally treats GET/POST/COOKIE data identically for most purposes. The trick, then, is getting the login cookie. It has a project-specific name and is normally sent as a cookie. Its value (but not its name) can alternately be fetched via the JSON API, but that wouldn't help very much for this particular use case. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
-Original Message- From: Remigiusz Modrzejewski Sent: Tuesday, November 22, 2011 3:43 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Nov 22, 2011, at 9:32 PM, Jeremy Cowgar wrote: So we are back to square one on accessing an RSS feed that is protected via a normal RSS reader. There may only be two solutions to this problem: 1. Use allow authuser=johndoeauthpass=secret as a URL parameter 2. Forget accessing secured RSS feeds Any other ideas? Try a smarter RSS reader? I remember having Opera read a few protected feeds... It's not that simple. Most RSS readers will authenticate via Basic Authentication, which most feeds are setup as. Fossil, on the other hand, does not directly support Basic Authentication. In order for you to read a protected Fossil RSS feed you have to login via the Fossil login screen. No RSS reader (that I know of) will do this. It would have to be told where the login screen is, what the input names are for the username and password fields, then how to interpret the results. Jeremy ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Tue, Nov 22, 2011 at 9:44 PM, Stephan Beal sgb...@googlemail.com wrote: In theory (though i have not tested it), you can pass the login cookie as a GET parameter, as fossil internally treats GET/POST/COOKIE data identically for most purposes. The trick, then, is getting the login cookie. ... Here's something we can try... it won't work out of the box, but if the concept can be proven then i'll commit to adding the bits which will make it work out of the box: http://fossil.wanderinghorse.net/repos/fossil-sgb/index.cgi/json/login?name=json-demopassword=json-demo that outputs something like: { fossil:013e8ee723fe17c61a74ef9aa69a3032e9aa3e55, timestamp:1321995094, command:login, procTimeMs:2, payload:{ authToken:2D0E39234B4A945C614C844ECCCE71EC4F05B40751E68A4AB8/CE59BB9F186226D8/json-demo, name:json-demo, capabilities:hgjorz } } The missing part there is the (repo-specific) cookie name, which we could _theoretically_ combine with the above authToken (==the cookie's value) to produce a login string: http://.../index.cgi/timeline.rss?fossil-XYZ=the_above_authToken where XYZ==the project-specific code. If someone can verify that that would work, i will expand the JSON login input to provide the project-specific cookie name as part of the output. From there it should be relatively simple (e.g. using JavaScript) to construct an RSS pull URL (as shown above). i'm unfortunately all out of energy for the time being (i was recently contracted out to a new customer in the TV industry, and they keep me busier than i'd really like to be!), so i can't commit to the experimentation. If someone else can verify that this approach would/might be useful, though, i can extend the JSON API to provide the output data needed for this approach. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
Stephan, That does indeed work, however, how long will that cookie be active? It should have a time encoded in it as to expire after a period of time. Otherwise, if someone were to get ahold of the cookie they could use it indefinitely. Jeremy From: Stephan Beal Sent: Tuesday, November 22, 2011 3:58 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Tue, Nov 22, 2011 at 9:44 PM, Stephan Beal sgb...@googlemail.com wrote: In theory (though i have not tested it), you can pass the login cookie as a GET parameter, as fossil internally treats GET/POST/COOKIE data identically for most purposes. The trick, then, is getting the login cookie. ... Here's something we can try... it won't work out of the box, but if the concept can be proven then i'll commit to adding the bits which will make it work out of the box: http://fossil.wanderinghorse.net/repos/fossil-sgb/index.cgi/json/login?name=json-demopassword=json-demo that outputs something like: { fossil:013e8ee723fe17c61a74ef9aa69a3032e9aa3e55, timestamp:1321995094, command:login, procTimeMs:2, payload:{ authToken:2D0E39234B4A945C614C844ECCCE71EC4F05B40751E68A4AB8/CE59BB9F186226D8/json-demo, name:json-demo, capabilities:hgjorz } } The missing part there is the (repo-specific) cookie name, which we could _theoretically_ combine with the above authToken (==the cookie's value) to produce a login string: http://.../index.cgi/timeline.rss?fossil-XYZ=the_above_authToken where XYZ==the project-specific code. If someone can verify that that would work, i will expand the JSON login input to provide the project-specific cookie name as part of the output. From there it should be relatively simple (e.g. using JavaScript) to construct an RSS pull URL (as shown above). i'm unfortunately all out of energy for the time being (i was recently contracted out to a new customer in the TV industry, and they keep me busier than i'd really like to be!), so i can't commit to the experimentation. If someone else can verify that this approach would/might be useful, though, i can extend the JSON API to provide the output data needed for this approach. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Tue, Nov 22, 2011 at 10:10 PM, Jeremy Cowgar jer...@cowgar.com wrote: That does indeed work, however, how long will that cookie be active? It should have a time encoded in it as to expire after a period of time. Otherwise, if someone were to get ahold of the cookie they could use it indefinitely. i knew some observant person would ask that ;). i don't remember off hand how long the cookie is valid. When the time expires, the auth token (==the login cookie's value) expires with it. AFAIK the cookie's name does not change as long as the repo's name and shared secret do not change, but i need to verify that. While the code is technically only a few windows away, i'm dead tired and won't get around to looking at it this evening. There is a secondary problem with this approach which i failed to mention earlier: fossil's current login mechanism does not support multiple logins for one user. Each successful login generates a new auth token, so the most recent login wins, so to say. This is high on my own person list of fixmes because the single-login restriction poses a severe usability problem for the JSON API. That said, fixing it requires touching/restructuring some internal bits of fossil which need careful consideration before touching them, and i cannot currently give a guestimate as to when this will be resolved. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Tue, Nov 22, 2011 at 10:10 PM, Jeremy Cowgar jer...@cowgar.com wrote: That does indeed work PS: on Thursday morning i'll be leaving town for the back woods of northern Germany for 4 days (without a PC), so i'll get the cookie name added to the JSON output tomorrow (Wednesday) evening before i leave. , however, how long will that cookie be active? It should have a time encoded in it as to expire after a period of time. i'll try to answer that for you by tomorrow night as well. It should be simple to add the expiry time to the JSON output as well, so that the client can know how long the login will be valid for. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
I just thought of another potential solution, I think maybe the best option yet? On the logout page (where you can also change your password, etc...) provide display “RSS” key. The “RSS Key” could be a hash based on various elements inside the fossil repo, the repo name, the user, the password and of course a few other items hashed over multiple times for security. The user could then access the RSS feed without authentication but with the “RSS Key.” The “RSS Key”, if anyone greps the log for it, would grant them access (until your password was changed) to view what has changed but not any detail. Thus, it is much less of a security hazard. With the Cookie name and value on the URL, anyone sniffing the network or watching logs could gain full access to your fossil repo. Not so with the RSS key idea. I could implement the RSS Key in a very short time. In regards to your JSON login problem, you may wish to implement something similar. Give a remote api key. Let the user login with that key and their password. This secures things a bit more and would make it easier to deal with the SSO problem you are having. Jeremy From: Stephan Beal Sent: Tuesday, November 22, 2011 4:29 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Tue, Nov 22, 2011 at 10:10 PM, Jeremy Cowgar jer...@cowgar.com wrote: That does indeed work PS: on Thursday morning i'll be leaving town for the back woods of northern Germany for 4 days (without a PC), so i'll get the cookie name added to the JSON output tomorrow (Wednesday) evening before i leave. , however, how long will that cookie be active? It should have a time encoded in it as to expire after a period of time. i'll try to answer that for you by tomorrow night as well. It should be simple to add the expiry time to the JSON output as well, so that the client can know how long the login will be valid for. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
Maybe it could be called Remote Key or something and used both for JSON and RSS. Jeremy From: Jeremy Cowgar Sent: Tuesday, November 22, 2011 4:42 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL I just thought of another potential solution, I think maybe the best option yet? On the logout page (where you can also change your password, etc...) provide display “RSS” key. The “RSS Key” could be a hash based on various elements inside the fossil repo, the repo name, the user, the password and of course a few other items hashed over multiple times for security. The user could then access the RSS feed without authentication but with the “RSS Key.” The “RSS Key”, if anyone greps the log for it, would grant them access (until your password was changed) to view what has changed but not any detail. Thus, it is much less of a security hazard. With the Cookie name and value on the URL, anyone sniffing the network or watching logs could gain full access to your fossil repo. Not so with the RSS key idea. I could implement the RSS Key in a very short time. In regards to your JSON login problem, you may wish to implement something similar. Give a remote api key. Let the user login with that key and their password. This secures things a bit more and would make it easier to deal with the SSO problem you are having. Jeremy From: Stephan Beal Sent: Tuesday, November 22, 2011 4:29 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Tue, Nov 22, 2011 at 10:10 PM, Jeremy Cowgar jer...@cowgar.com wrote: That does indeed work PS: on Thursday morning i'll be leaving town for the back woods of northern Germany for 4 days (without a PC), so i'll get the cookie name added to the JSON output tomorrow (Wednesday) evening before i leave. , however, how long will that cookie be active? It should have a time encoded in it as to expire after a period of time. i'll try to answer that for you by tomorrow night as well. It should be simple to add the expiry time to the JSON output as well, so that the client can know how long the login will be valid for. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Tue, Nov 22, 2011 at 10:42 PM, Jeremy Cowgar jer...@cowgar.com wrote: ...The “RSS Key”, if anyone greps the log for it, would grant them access (until your password was changed) to view what has changed but not any detail. Thus, it is much less of a security hazard. Having a read-only API key of sorts sounds like an interesting idea. Since computer security is one of my weakest points, i'd be very interested in hearing some opinions on that idea from those more in-the-know on such matters. In regards to your JSON login problem, you may wish to implement something similar. Give a remote api key. Let the user login with that key and their password. This secures things a bit more and would make it easier to deal with the SSO problem you are having. The problem at the moment is that fossil's login model only supports one login record for each account, stored directly in the user table (except anonymous and other special internal accounts, which don't actually get a persistent login token). Fixing this for normal users would require either (A) recycling the auth token for each login (IMO not as bad as it initially sounds) or (B) storing one entry per login (which has the potential draw-back of unending growth in the login record table). Or perhaps (C), something completely different. The JSON API doesn't actually implement its own login mechanism: instead it feeds the login info through fossil's normal authentication mechanism. When a JSON request includes an auth token (either in a cookie, a GET parameter, or part of the request envelope), it simply sends/verifies that through fossil's long-standing authentication internals. Because of that behaviour (and that behaviour is a hard requirement), it inherits the single-login-per-user limitation. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Nov 22, 2011, at 9:46 PM, Jeremy Cowgar wrote: Try a smarter RSS reader? I remember having Opera read a few protected feeds... It's not that simple. Most RSS readers will authenticate via Basic Authentication, which most feeds are setup as. Fossil, on the other hand, does not directly support Basic Authentication. In order for you to read a protected Fossil RSS feed you have to login via the Fossil login screen. No RSS reader (that I know of) will do this. Well, I've mentioned one already: Opera. I've never seen a http basic auth protected feed. The ones I've mentioned were forums where you had to login using customizable by templates login pages. I had to log in at that page and set feed syncing to an interval smaller than session expire time. Worked flawlessly. It would have to be told where the login screen is, what the input names are for the username and password fields, then how to interpret the results. I'm pretty sure that should not be a problem. This procedure can be replicated in something like 5 lines of Python. Compared to what I believe is the codebase of a typical rss reader, this does not look too bad... Kind regards, Remigiusz Modrzejewski ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Tue, Nov 22, 2011 at 10:29 PM, Stephan Beal sgb...@googlemail.comwrote: On Tue, Nov 22, 2011 at 10:10 PM, Jeremy Cowgar jer...@cowgar.com wrote: That does indeed work PS: on Thursday morning i'll be leaving town for the back woods of northern Germany for 4 days (without a PC), so i'll get the cookie name added to the JSON output tomorrow (Wednesday) evening before i leave. i forgot to mention that i have a horrible disease called, can't sleep when there's an easy bug which can be fixed. i've got the code in place but i'm undecided on the JSON-side name of the login key. i'm hesitant to use the word key in the name because i want to avoid any potential confusion with API key and the like. The auth token value is called authToken, and i'm very hesitant to change that because it's already used in many, many places (more in docs than code). So now the 64kb question is: if the cookie's _value_ is called authToken, what should the cookie's _name_ be called? i apologize that i wasn't foresightful enough in advance to realize that the cookie's name might be useful in the JSON API (because it's effectively random, there didn't seem to be much use for it). e.g.: payload:{ authToken:2D0E/json-demo, whatGoesHere???: fossil-ABCDDCBA, // project-specific value ... name:json-demo, capabilities:hgjorz } -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Wed, Nov 23, 2011 at 12:07 AM, Stephan Beal sgb...@googlemail.comwrote: i forgot to mention that i have a horrible disease called, can't sleep when there's an easy bug which can be fixed. And it gets worse as the night goes on :/. So now the 64kb question is: if the cookie's _value_ is called authToken, what should the cookie's _name_ be called? i The answer was staring my in the face: the C function is called login_cookie_name(), so: stephan@tiny ~/cvs/fossil/fossil $ f ci -m 'Added loginCookieName to /json/login response payload, mainly as a crutch for certain scripting cases (e.g. RSS feeds). Still TODO: add future expiry time of cookie/token to response.' src/json_login.c Autosync: http://step...@www.fossil-scm.org/fossil Bytes Cards Artifacts Deltas Sent: 177 2 0 0 Received:1136 25 0 0 Total network traffic: 364 bytes sent, 784 bytes received New_Version: daa564c4df7894f2925179aa2521d21d5163258d i'll try to get the expiry time added tomorrow night, else it will have to wait until next week (there are two obvious solutions, neither of them very signed-32-bit-friendly, or it would already be implemented). @Jeremy: the lifetime of the login cookie is defined in the config table as cookie-expire, in seconds (default=8766, though i have no idea where that unusual number originally came from). -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
IE will do the same thing but it simply relies on the cookie already being present. So, unless I login and stay active and read my RSS feeds in IE, that doesn't work. I guess I am just use to a more conventional RSS reader application :-/ Jeremy -Original Message- From: Remigiusz Modrzejewski Sent: Tuesday, November 22, 2011 5:50 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Nov 22, 2011, at 9:46 PM, Jeremy Cowgar wrote: Try a smarter RSS reader? I remember having Opera read a few protected feeds... It's not that simple. Most RSS readers will authenticate via Basic Authentication, which most feeds are setup as. Fossil, on the other hand, does not directly support Basic Authentication. In order for you to read a protected Fossil RSS feed you have to login via the Fossil login screen. No RSS reader (that I know of) will do this. Well, I've mentioned one already: Opera. I've never seen a http basic auth protected feed. The ones I've mentioned were forums where you had to login using customizable by templates login pages. I had to log in at that page and set feed syncing to an interval smaller than session expire time. Worked flawlessly. It would have to be told where the login screen is, what the input names are for the username and password fields, then how to interpret the results. I'm pretty sure that should not be a problem. This procedure can be replicated in something like 5 lines of Python. Compared to what I believe is the codebase of a typical rss reader, this does not look too bad... Kind regards, Remigiusz Modrzejewski ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Authentication via URL
I would like to use my RSS reader to monitor a few timeline RSS feeds of mine from Fossil (tickets mainly). The problem is that on a few of the work projects, all repos are locked down. I cannot access the RSS feed without authenticating. I do not wish to duplicate all the username/passwords into a htpasswd setup and use REMOTE_USER because of the duplicate efforts. Thus I have made a change to fossil’s login_check_credentials method to accept the query parameters authuser and authpass. If found, it attempts to authenticate off this string. Thus, I can do: https://myrepo/index.cgi/timeline.rss?authuser=johndoeauthpass=secret This works great, however, when thinking it through, it is not entirely secure even across https because the query string will be recorded in the access.log file which non-devs could gain access to and retrieve usernames and passwords. One could use a base64 encoding like basic http authentication, but this causes the average joe to not be able to benefit from the change because who knows to take the username and password, concat them with a : and then base64 encode them? Not very user friendly. One could encode the authuser and authpass into a POST query, but then RSS readers would not be able to take advantage of this. How do others deal with this problem? I assume it is a legit problem? I believe that encoding on the URL may be the best solution, but open for suggestions. Jeremy ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Authentication via URL
On Mon, Nov 21, 2011 at 8:36 PM, Jeremy Cowgar jer...@cowgar.com wrote: https://myrepo/index.cgi/timeline.rss?authuser=johndoeauthpass=secret Did you know that you can do do: http://user:pass@ ? i haven't ever tried it with ssl, but it should work i would guess. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users