Re: HTTP Authentication for Gofer

[Stuart Johnston]

Stuart Johnston wrote:
Tim Bunce wrote:
On Fri, Mar 05, 2010 at 01:58:52PM -0600, Stuart Johnston wrote:
I am exploring a few different options for adding authentication
support to Gofer::Transport::http and I would appreciate any
feedback.
The most straightforward option is to add several attributes
(netloc, realm, http_user, and http_password) that would be passed
to the $useragent->credentials.  These could be specified in the DSN
or in %attrs (using the go prefix).  This is the style that we are
currently using in our dev code.

I think that most people don't usually think about the netloc and
realm when using http auth, from the client side.  It would be
possible to avoid setting these by subclassing LWP::UserAgent and
the get_basic_credentials method.

Another option would be to specify the username and password in the
URL, (http://userid:passw...@example.com/).  The big advantage here
is that the DBI distribution would not need to be touched.  However,
some people may have concerns about potential security issues with
this method.

Either, or both, of the first two sounds good. Plus some docs of course.

Send me a patch, or send me your your https://svn.perl.org/accounts/
username and I'll give you a commit bit.

My svn user is: sjohnston

Changes to DBI will be required to add the new attributes.  Should I 
worry about backwards compatibility in the Gofer Transport with existing 
DBI versions or can I just bump the PREREQ_PM?

OK, never mind about that.  I thought I had to add the attribute 
accessors in the Base class but it seems to work just fine in 
DBD::Gofer::Transport::http.

I also just noticed that LWP allows the username and password to be set 
at the request level using authorization_basic.  This method doesn't 
require the netloc and realm.  This makes the change as simple as the 
diff below.  If this looks ok, I commit it with appropriate docs.

thanks,
Stuart



--- lib/DBD/Gofer/Transport/http.pm     (revision 13836)
+++ lib/DBD/Gofer/Transport/http.pm     (working copy)
@@ -26,6 +26,8 @@
 __PACKAGE__->mk_accessors(qw(
     http_req
     http_ua
+    go_http_user
+    go_http_password
 ));

 # (XXX All this rety logic should move into core gofer transport base 
classes)
@@ -68,6 +70,8 @@
             my $url = $self->go_url || croak "No url specified";
             my $request = HTTP::Request->new(POST => $url);

$request->content_type('application/x-perl-gofer-request-binary');
+            $request->authorization_basic($self->go_http_user, 
$self->go_http_password)
+                if ($self->go_http_user);
             $request;
         };
         my $http_ua = $self->{http_ua} ||= do {