Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Basic auth fails when (anon) is used in the principles and previously cached credentials sent #5802

Closed
joshuafontany opened this issue Jun 16, 2021 · 3 comments
Closed

[BUG] Basic auth fails when (anon) is used in the principles and previously cached credentials sent #5802

joshuafontany opened this issue Jun 16, 2021 · 3 comments

Comments

@joshuafontany
Copy link
Contributor

joshuafontany commented Jun 16, 2021
edited

Describe the bug
Setup a server with "(anon)" included in the auth principles (readers or writers).

Login to the server with a valid user/password in a freshly launched browser window.

Your credentials are now cached (in all modern browsers, the basic auth cache is NOT a "stored password" and is only cleared on browser-app restart).

Shut-down the server, change that user's password. Restart the server.

Refresh the (already open) browser window. The server receives a login request, which $:/core/modules/server/authenticators/basic.js handles, but because it has a header (with the cached & previously valid credentials), it only tests for valid username/password.

As the currently sent creds are not valid, the basic authenticator returns an HTTP error. This triggers a re-login request & the browser is then locked into a login-prompt loop (neither canceling nor entering any non-valid creds will break the loop).

Expected behavior
If "(anon)" is used as a reader or writer, all authentication attempts succeed, but ONLY valid logins receive an authenticatedUsername. The syncer then handles errors by setting

// Mark us as not logged in
self.wiki.addTiddler({title: this.titleIsLoggedIn,text: "no"});

in the error handler.

TiddlyWiki Configuration (please complete the following information):

  • Version [v5.1.24-prerelease]
  • Saving mechanism [Node.js]
  • Plugins installed [none]

Desktop (please complete the following information):

  • OS: [Windows 10]
  • Browser [Chrome]
  • Version [91.0.4472.101]
@joshuafontany
Copy link
Contributor Author

Server listen command:
C:\Program Files\nodejs\node.exe .\TiddlyWiki5\tiddlywiki.js +plugins/tiddlywiki/tiddlyweb +plugins/tiddlywiki/filesystem C:\tw\TiddlyWiki5\editions\tw5.com --listen credentials=C:\tw\users.csv writers=Joshua "readers=(anon)"

@joshuafontany
Copy link
Contributor Author

Looks like an anonymous logged in user (as a reader) cannot ever log out, as the logout request is a POST (& readers are limited to GET)... hrmmm, how to work around that one....

@joshuafontany
Copy link
Contributor Author

Hrm, that complicates things, and I think this may be such a corner-case that it may introduce unwanted halo bugs.

I some-how got my Chrome browser to enter a state where it will not prompt for the basic-login credentials using the "logout"/"login" button under the server cloud. And that persists after server-restart (but would not after browser restart).

Ug. Ok...seems like basic-auth just comes with these type of browser bugs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joshuafontany