Basic auth returns 403 when username & password supplied but not needed.

Created on 25 December 2016, over 7 years ago
Updated 6 September 2024, 7 days ago

See Drupal\basic_auth\Authentication\Provider

  public function applies(Request $request) {
    $username = $request->headers->get('PHP_AUTH_USER');
    $password = $request->headers->get('PHP_AUTH_PW');
    return isset($username) && isset($password);
  }

This means that basic auth applies whenever the user submits a username and password. However my route has _access = TRUE and I've spent a long time wondering why that was overridden and I was still getting a 403.
Sure basic auth should apply according to some route parameter, not according to what the user does?

Steps to reproduce

This is attempting to recreate the problem with a re-world scenario.

  1. Basic auth is on
  2. Site is pre-prod, shield (contrib) is also on
  3. End user has been asked for shield creds, cached in browser
  4. Go live, shield removed
  5. Requests still send auth headers
  6. End user gets 403 everywhere

If you uninstall basic_auth OR use private window the problem goes away. Or clear enough browser history/credentials...

Remaining tasks

PHP unit test case fail needs to be fix.

🐛 Bug report
Status

Needs work

Version

11.0 🔥

Component
Basic auth 

Last updated 1 day ago

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇳🇿New Zealand quietone New Zealand

    There has been no discussion on this issue, perhaps this is no longer a problem?

    is this still relevant to Drupal 10 or later?

    Since we need more information to move forward with this issue, I am keeping the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

  • Status changed to Active 17 days ago
  • 🇦🇺Australia mstrelan

    As per this slack thread it seems the basic_auth module intercepts requests that do not have the basic_auth option set on the route as described in the docs . If (invalid) auth is provided it will return a 403 even though the route should not be protected.

  • 🇦🇺Australia sime Canberra
  • 🇦🇺Australia sime Canberra

    I put in a steps to reproduce to try to capture what might be going wrong in the real world. Note that removing these cached credentials wassn't altogether easy for me in Firefox without having to apply a broad brush and remove a lot of history and credentials

  • 🇦🇺Australia sime Canberra

    I believe this issue is related.

  • Status changed to Needs review 11 days ago
  • Hi,
    I have created the MR !9389 for this feature.

    Before Patch:

    After Patch:

  • Status changed to Needs work 11 days ago
  • 🇦🇺Australia mstrelan

    We need to consider if basic auth should apply to the route.

  • Pipeline finished with Failed
    11 days ago
    Total: 5396s
    #271431
  • Pipeline finished with Failed
    11 days ago
    Total: 154s
    #271610
  • Pipeline finished with Success
    11 days ago
    Total: 690s
    #271618
  • Status changed to Needs review 11 days ago
  • Hi,
    By default Drupal will check the all the route values. Since we checking credentials from the request header all the URL's should be verified.

    mstrelan, Let me know Incase of missing any functionality check for this implementation.

  • Status changed to Needs work 10 days ago
  • 🇦🇺Australia mstrelan

    By default Drupal will check the all the route values. Since we checking credentials from the request header all the URL's should be verified.

    That's the bug we are trying to fix though. According to the docs for basic_auth the access should only be applied to routes with the basic_auth option:

      options:
        _auth: [ 'basic_auth' ]
    
  • Hi,
    Trying to add the condition whether the current request is coming with the options _auth and value should basic_auth. But getting the test failure after implementing the changes.

  • 🇮🇳India Prashant.c Dharamshala

    You may want to post the snippet here or push the changes so that someone can help or guide you through this.

  • Pipeline finished with Failed
    7 days ago
    Total: 264s
    #275575
  • Pipeline finished with Failed
    7 days ago
    Total: 123s
    #275588
  • Updated the code changes for the _auth check for the current page route exist with the basic_auth or not.

    but testcase failing in the basicauthtest. Attaching the screenshot of the unit testcase fails.

  • Pipeline finished with Failed
    7 days ago
    Total: 481s
    #275589
Production build 0.71.5 2024