- ๐ณ๐ฟNew Zealand quietone
There has been no discussion on this issue, perhaps this is no longer a problem?
is this still relevant to Drupal 10 or later?
Since we need more information to move forward with this issue, I am keeping the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.
Thanks!
- Status changed to Active
4 months ago 10:05pm 27 August 2024 - ๐ฆ๐บAustralia mstrelan
As per this slack thread it seems the basic_auth module intercepts requests that do not have the basic_auth option set on the route as described in the docs โ . If (invalid) auth is provided it will return a 403 even though the route should not be protected.
- ๐ฆ๐บAustralia sime Melbourne
I put in a steps to reproduce to try to capture what might be going wrong in the real world. Note that removing these cached credentials wassn't altogether easy for me in Firefox without having to apply a broad brush and remove a lot of history and credentials
manibharathi ezhimalai ravi โ made their first commit to this issueโs fork.
- Merge request !9389Issue #2839210 : Basic auth returns 403 when username & password supplied but not needed. โ (Open) created by manibharathi ezhimalai ravi
- Status changed to Needs review
4 months ago 7:59am 2 September 2024 - Status changed to Needs work
4 months ago 8:13am 2 September 2024 - ๐ฆ๐บAustralia mstrelan
We need to consider if basic auth should apply to the route.
- Status changed to Needs review
4 months ago 12:08pm 2 September 2024 Hi,
By default Drupal will check the all the route values. Since we checking credentials from the request header all the URL's should be verified.mstrelan, Let me know Incase of missing any functionality check for this implementation.
- Status changed to Needs work
4 months ago 11:11pm 2 September 2024 - ๐ฆ๐บAustralia mstrelan
By default Drupal will check the all the route values. Since we checking credentials from the request header all the URL's should be verified.
That's the bug we are trying to fix though. According to the docs for basic_auth โ the access should only be applied to routes with the basic_auth option:
options: _auth: [ 'basic_auth' ] Hi,
Trying to add the condition whether the current request is coming with the options _auth and value should basic_auth. But getting the test failure after implementing the changes.- ๐ฎ๐ณIndia prashant.c Dharamshala
You may want to post the snippet here or push the changes so that someone can help or guide you through this.
Updated the code changes for the _auth check for the current page route exist with the basic_auth or not.
but testcase failing in the basicauthtest. Attaching the screenshot of the unit testcase fails.
Hi,
Updated the MR with _auth check condition instead user checking._auth checking condition is added based on the #23 ๐ Basic auth returns 403 when username & password supplied but not needed. Needs work and also feedback received in the thread.