Quoth José Miguel Sánchez García: > Thanks for suggesting basic! I wasn't sure about it, as it's pretty > insecure nowadays. But I acknowledge that, for quark's use cases, it > is perfectly reasonable.
I don't think it's insecure presuming the HTTP is being served behind some TLS connection. And if you're doing authentication you want that anyway. I haven't particularly thought it through, though, maybe there's something dangerous about it. I mean, lack of browser support for a straightforward "log out" function sucks, but hey, it's the web, of course it's broken. The filesystem based thing sounds odd to me, personally - I think it's common for websites to have a quite different set of users to those that exist on the server operating system. But I think setting it in config.h is also a bad idea, as one of the nice design things about quark is the ability to run it straight from the command line, and needing to recompile to redo authentication would detract from that. Maybe a simple authentication file with username<space>password one per line, which is passed to a flag, would be good? If you want a system with different files accessible to different users, though, then reusing filesystem permissions is the only non-intrusive way I can imagine. Just some early morning thoughts. I look forward to Anselm replying and saying that authentication is out of scope for quark, keeping us all honest ;) Nick
