raxx v0.14.13 Raxx.BasicAuth
Add protection to a Raxx application using Basic Authentication.
Basic Authentication is specified in RFC 7617 (which obsoletes RFC 2617).
This module provides helpers for submitting and verifying credentials.
Submitting credentials
A client (or test case) can add user credentials to a request with set_credentials/3
iex> request(:GET, "/")
...> |> set_credentials("Aladdin", "open sesame")
...> |> get_header("authorization")
"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
Verifying fixed credentials
A server can authenticate a request against a fixed set of credentials using authenticate/3
iex> request(:GET, "/")
...> |> set_header("authorization", "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==")
...> |> authenticate("Aladdin", "open sesame")
{:ok, "Aladdin"}
iex> request(:GET, "/")
...> |> set_header("authorization", "Basic SmFmYXI6bXkgbGFtcA==")
...> |> authenticate("Aladdin", "open sesame")
{:error, :invalid_credentials}
Verifying multiple credentials
To authenticate a request when credentials are not fixed, define an application authenticate function.
This function can authenticate a user in any way it wants. e.g. by fetching the user from the database.
Extracting credentials from a received request can be done using get_credentials/1
.
defmodule MyApp.Admin do
def authenticate(request) do
with {:ok, {user_id, password}} <- get_credentials(request) do
# Find user and verify credentials
{:ok, user}
end
end
end
NOTE: when comparing saved passwords with submitted passwords use secure_compare/2
to protect against timing attacks.
Challenging unauthorized requests
If a request is submitted with absent or invalid credentials a server should inform the client that it is accessing a resource protected with basic authentication.
Use unauthorized/1
to create such a response.
NOTE
The Basic authentication scheme is not a secure method of user authentication https://tools.ietf.org/html/rfc7617#section-4
This module will be extracted to a separate project before the release of raxx 1.0
Link to this section Summary
Functions
Authenticate a request against fixed credentials
Extract credentials submitted using the Basic authentication scheme
Compares the two binaries in constant-time to avoid timing attacks. See: http://codahale.com/a-lesson-in-timing-attacks/
Add a users credentials to a request to authenticate it
Generate a response to a request that failed to authenticate
Link to this section Functions
Authenticate a request against fixed credentials.
Extract credentials submitted using the Basic authentication scheme.
If credentials we not provided or are malformed an error is returned
Compares the two binaries in constant-time to avoid timing attacks. See: http://codahale.com/a-lesson-in-timing-attacks/
Add a users credentials to a request to authenticate it.
NOTE:
- The user-id and password MUST NOT contain any control characters
- The user-id must not contain a
:
Generate a response to a request that failed to authenticate.
The response will contain a challenge for the client in the www-authenticate
header.
Use an unauthorized response to prompt a client into providing basic authentication credentials.
Options
- realm: describe the protected area. default
"Site"
- charset: default
"UTF-8"
Notes
The only valid charset is
UTF-8
; https://tools.ietf.org/html/rfc7617#section-2.1. Anil
can be provided to this function to omit the parameter.Validation should be added for the parameter values to ensure they only accept valid values.