- ๐บ๐ธUnited States Kristen Pol Santa Cruz, CA, USA
Tagging for the Bug Smash Initiative.
- ๐ณ๐ฑNetherlands dries arnolds ๐ณ๐ฑ Amsterdam
I ran into this as well and the patch in #57 fixed it. I'm on Drupal 9.5.8.
- ๐ณ๐ฑNetherlands dries arnolds ๐ณ๐ฑ Amsterdam
The solution from #57 still works fine on Drupal 10.2. Is there any reason not to (reroll and) commit this?
- Status changed to Needs work
over 1 year ago 12:13am 12 April 2024 - ๐ณ๐ฟNew Zealand quietone
This was discussed at a Bug Smash meeting yesterday with larowlan, dsci, and pameeela. The conclusion was that this is a feature request. The issue summary took a while to understand so adding the tag for an IS update.
@dsci plans to come back to this issue later this week and do triage. Let's hope that happens.
- ๐ฆ๐บAustralia pameeela
Updated IS to make the use case a bit more clear, but it probably still needs further updates.
Discussing in Slack we are not sure this is a bug, as even the OP concedes.
- last update
over 1 year ago 29,715 pass, 2 fail - ๐ช๐ธSpain Carlos Romero
carlos romero โ made their first commit to this issueโs fork.
- Merge request !9678Issue #3465132 by catch, Spokje, nod_: Show test run time by class in run-tests.sh output โ (Closed) created by Carlos Romero
- Merge request !9679Basic Auth module conflicts with server-level Site Lock implementations โ (Open) created by Carlos Romero
- Merge request !9680Basic Auth module conflicts with server-level Site Lock implementations โ (Open) created by Carlos Romero
- Merge request !9681Basic Auth module conflicts with server-level Site Lock implementations โ (Open) created by Carlos Romero
- ๐จ๐ญSwitzerland handkerchief
As described in #70, the patch in #57 works for us with Drupal 10.3.5, it would be great if this issue is going further in progress.
- First commit to issue fork.
- ๐ซ๐ทFrance prudloff Lille
prudloff โ changed the visibility of the branch 10.4.x to hidden.
- ๐ซ๐ทFrance prudloff Lille
prudloff โ changed the visibility of the branch 10.3.x to hidden.
- ๐ซ๐ทFrance prudloff Lille
prudloff โ changed the visibility of the branch 2842858-basic-auth-module to hidden.
- ๐ซ๐ทFrance prudloff Lille
I think #24 is a valid concern (see ๐ฑ [policy] Treat username enumerations as security bugs that require Security Advisories Active ).
- Merge request !12860Issue #2842858 by codebymikey: Avoid conflicts with server-level Basic auth implementations โ (Open) created by codebymikey
codebymikey โ changed the visibility of the branch 11.x to hidden.
Added the username check on the basic auth prompt (hidden behind a setting) and a simple test case for it.
- ๐ฌ๐งUnited Kingdom longwave UK
> The basic auth provider will only act upon routes which have been explicitly tagged with the
basic_auth
_auth
option.If basic_auth is enabled, and basic auth is received on a route that is *not* tagged for basic auth, should we log or display a warning message?
> The basic auth provider will only act upon routes which have been explicitly tagged with the basic_auth _auth option.
If basic_auth is enabled, and basic auth is received on a route that is *not* tagged for basic auth, should we log or display a warning message?
That's an accidental entry to the issue summary, and actually meant for the ๐ Basic auth returns 403 when username & password supplied but not needed. Needs work issue.
The changes so far only check for the username's existence.
But no, I don't think it's worth logging it as modules making use of
basic_auth
should already be tagged as such, and bad actors can use this as a means of filling up the logs without suffering the penalty of being banned by the flood control system.- ๐ฌ๐งUnited Kingdom longwave UK
Instead of having a settings.php entry, how about a submodule, e.g. "Basic Auth with Site Lock" (the name probably needs work) - this would act as the flag instead? The module description can explain why you might want this enabled if you are using Basic Auth.
- Status changed to Needs review
about 8 hours ago 4:02pm 31 July 2025 Instead of having a settings.php entry, how about a submodule, e.g. "Basic Auth with Site Lock" (the name probably needs work) - this would act as the flag instead?
The feature flag module idea is interesting, but seems like potential overhead (haven't benchmarked how expensive calls to the module handler checks are) for a feature that most sites would probably rarely need.
I took inspiration with how the phpinfo() status page behaviour โ was changed, and the setting seemed like the way to go for a functionality tightly coupled with the site's security.
However if that's the convention going forward for core to make it easier for non-technical people to work with it, then I have no objection.
Would need input from members on the core team to provide further direction on this.
- ๐ฌ๐งUnited Kingdom longwave UK
Yeah, it's never been clear to me where this sort of thing should go. Right now we have an awkward combination of:
$settings
array in settings.php$config
array in settings.php- config form with a UI
- container parameter in services.yml
- feature flag module
- some new API? โจ Add an API for feature flags Active
Also ideally it wouldn't be a
moduleExists()
check, instead the code to handle this feature would live self-contained in the contrib module, extendingbasic_auth
as necessary.