authentication providers can fail access on routes with _access: 'TRUE'

Created on 7 September 2021, about 3 years ago

Updated 13 April 2023, over 1 year ago

Problem/Motivation

A route with _access: 'TRUE' should always allow access.

However, it's possible for authentication to fail.

Steps to reproduce

1. Enable basic_auth module
2. Set up an image derivative
3. Go to the URI for the derived image, with an Authorization HTTP header which looks like "Basic something-that-will-fail"
4. Get a 403

This is because the Authorization causes the BasicAuth authentication provider to report that it applies to the request. It will then fail authentication.

Furthermore, the log message is unclear: it says 'The used authentication method is not allowed on this route' which isn't actually the problem.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

10.1 ✨

Component

Routing →

Last updated 3 days ago

Maintained by
🇺🇸United States @tim.plunkett

Created by

🇬🇧United Kingdom joachim

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇪🇸Spain kundu Barcelona
Any news about this issue?
Comment over 1 year ago →
🇩🇪Germany pebosi
Ist would be nice to get rid of this „misleading“ 403.
Comment over 1 year ago →
🇺🇸United States bradjones1 Digital Nomad Life
@kundu it's waiting for someone to work on it. Maybe you? :-) Or you could sponsor development.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024