- Issue created by @solideogloria
- Status changed to Needs review
about 1 year ago 10:30pm 11 December 2023 Per ๐ Prevents normal website access by restricting all routes by default Needs work , I have verified that the suggested changes allow normal website access, and batches work.
I also verified that I cannot access an endpoint as a blacklisted IP, nor as an IP not listed in an active whitelist.
- ๐ฆ๐ทArgentina tguerineau
I have conducted further testing of the
ip_consumer_auth
module with the applied patch in a Drupal 9 environment. Here are my updated findings:- Whitelist Test: When IP
172.22.0.1
was whitelisted, anonymous users received a200 OK
status with no output, which is expected behavior indicating access is allowed. - Blacklist Test: Using the same IP as a blacklist entry or a fake IP
111.2.3.1
in the whitelist resulted in the error{"message":"The used authentication method is not allowed on this route."}
for both anonymous and authenticated users. This was unexpected, as the response suggests an authentication method issue rather than an IP restriction response. - Authenticated Users: Consistently received the error message regardless of the IP configuration, indicating a potential misconfiguration in authentication methods for the REST endpoint.
Behavior without the Module:
- When the
ip_consumer_auth
module was disabled, accessing the endpoint did not yield any authentication errors, suggesting that the REST endpoint itself is configured correctly to allow access without additional authentication methods.
Conclusion and Queries:
- The behavior suggests that while the whitelist functionality of the
ip_consumer_auth
module works correctly for anonymous users, there are issues when IPs are blacklisted or not included in an active whitelist. Specifically, the consistent authentication method error is perplexing, given that it does not occur when the module is disabled. - Are there specific configurations within the
ip_consumer_auth
module that might be causing this behavior, or could this indicate a deeper issue with the patch or the module's interaction with Drupal's authentication system?
- Whitelist Test: When IP
- Status changed to Needs work
about 1 year ago 7:38pm 12 December 2023 @tguerineau: Yeah, I think my assumption of how the
AuthenticationProviderInterface::applies
function works was wrong. I realized that anonymous users would be unable to log in with my patch applied.However, it wasn't correct without a patch, either, or with any of the other patches suggested so far.
The main issue with how it worked before, with the vanilla module, was that the applies function returned FALSE when it shouldn't, and whenever it did return FALSE, the IP authentication was completely ignored.
Are you able to reproduce any issues with the vanilla module and the patch โ from ๐ Prevents normal website access by restricting all routes by default Needs work applied?
Basically, I can't find a configuration and patch combination that gets the module to work in all cases...
Do you have any experience writing tests? Maybe we should write tests first, to make sure we know what should happen.
- ๐ฆ๐ทArgentina tguerineau
Hi @solideogloria,
Yes, I have some experience writing tests.
I can work on adding the tests to cover all possible cases, to ensure that the module functions as it should.
Thanks. Should we open a separate branch or issue for that?
I created a separate issue.
๐ Write tests for use-cases Active