Contrib.social

Basic Auth module conflicts with server-level "Site Lock" implementations

Open on Drupal.org →
Created on 12 January 2017, over 7 years ago
Updated 17 April 2024, 2 months ago

Problem/Motivation

Many platforms and development environments use Basic Auth configured on the server to provide a Site Lock. This allows making sites available to select people via the public web without exposing the site to the public in general. For example, https://pantheon.io/docs/lock-environment/. This could be a "production" site before it goes live, or on a dev/staging site.

This server-level auth can conflict with Basic Auth in Drupal if it is set up for access to an API endpoint.

Per http://drupal.stackexchange.com/a/212800/394 and an examination of the Basic Auth provider code, what's happening is that if you use Basic Auth headers, PHP will pick them up and the Basic Auth module in core will be "triggered' to attempt authentication with those credentials. If it fails, the response will be redirected to access denied. After all, a login attempt just failed.

The frustration level this issue can cause makes it a major DX issue when the stars align, and while I marked it as a bug, you could argue it's a support request.

Proposed resolution

This issue is complicated because it could be considered a feature, not a bug. However, there is a common expectation that a "site lock" can be configured without regard for the application configuration.

One solution could be a simple configuration option that allows checking to see if the user account does not exist, and if not treat it as an anonymous request.

Another possibility would be supporting the Drupal site issuing Basic Auth challenges, allowing the site itself to provide the "lock UI".

Remaining tasks

Decide if this is a problem that should be solved. If not solved, this becomes a documentation problem to explain what's going on and recommended workarounds.

User interface changes

?

API changes

?

Data model changes

?

Feature request
Status

Needs work

Version

11.0 🔥

Component
Basic auth 

Last updated about 1 month ago

Created by

🇺🇸United States Grayside

Live updates comments and jobs are added and updated live.
  • Contributed project blocker

    It denotes an issue that prevents porting of a contributed project to the stable version of Drupal due to missing APIs, regressions, and so on.

  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇺🇸United States Kristen Pol Santa Cruz, CA, USA

    Tagging for the Bug Smash Initiative.

  • Comment about 1 year ago
    🇳🇱Netherlands Dries Arnolds 🇳🇱 Amsterdam

    I ran into this as well and the patch in #57 fixed it. I'm on Drupal 9.5.8.

  • Comment 4 months ago
    🇳🇱Netherlands Dries Arnolds 🇳🇱 Amsterdam

    The solution from #57 still works fine on Drupal 10.2. Is there any reason not to (reroll and) commit this?

  • Status changed to Needs work 3 months ago
  • Comment 3 months ago
    🇳🇿New Zealand quietone New Zealand

    This was discussed at a Bug Smash meeting yesterday with larowlan, dsci, and pameeela. The conclusion was that this is a feature request. The issue summary took a while to understand so adding the tag for an IS update.

    @dsci plans to come back to this issue later this week and do triage. Let's hope that happens.

  • Comment 2 months ago
    🇦🇺Australia pameeela

    Updated IS to make the use case a bit more clear, but it probably still needs further updates.

    Discussing in Slack we are not sure this is a bug, as even the OP concedes.

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.1 & MariaDB 10.3.22
    last update 2 months ago
    29,715 pass, 2 fail
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024