On Thu, Aug 26, 2021 at 04:17:16PM +0200, Daniel Sahlberg wrote: > Den tors 26 aug. 2021 kl 16:10 skrev Stefan Sperling <s...@elego.de>: > > > On Thu, Aug 26, 2021 at 02:41:44PM +0200, Johan Corveleyn wrote: > > > I get the feeling I'm missing something, but I still don't understand > > > what authz has to do with the problem at hand here (i.e. detecting > > > expired passwords so we can ask the user for the new one). > > > > The problem is that some repositories (like our own) do not require > > any authentication in order to read data. > > > > Your case where 'svn ls' asks for a password is not applicable for > > public repositories on svn.apache.org, for example. The 'svn auth add' > > command would not get an authentication challenge by running the > > equivalent of what 'svn ls' is doing. We do not have a way to trigger > > the challenge without modifying the repository somehow. > > > > Is it possible to have the client "throw" the username/password at the > server even if the server doesn't issue a challenge? Would the server > validate the username/password (even though authz would allow anonymous > access)? > > /Daniel Sahlberg
Unfortunately, it is not. There are many authentication schemes and at least two protocols to consider (HTTP + svn). Some authentication schemes even require data that is generated on the server when it sends the authentication request, such as a nonce.
