raxx

v0.14.13

raxx v0.14.13 Raxx.BasicAuth

Add protection to a Raxx application using Basic Authentication.

Basic Authentication is specified in RFC 7617 (which obsoletes RFC 2617).

This module provides helpers for submitting and verifying credentials.

Submitting credentials

A client (or test case) can add user credentials to a request with set_credentials/3

iex> request(:GET, "/")
...> |> set_credentials("Aladdin", "open sesame")
...> |> get_header("authorization")
"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

Verifying fixed credentials

A server can authenticate a request against a fixed set of credentials using authenticate/3

iex> request(:GET, "/")
...> |> set_header("authorization", "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==")
...> |> authenticate("Aladdin", "open sesame")
{:ok, "Aladdin"}

iex> request(:GET, "/")
...> |> set_header("authorization", "Basic SmFmYXI6bXkgbGFtcA==")
...> |> authenticate("Aladdin", "open sesame")
{:error, :invalid_credentials}

Verifying multiple credentials

To authenticate a request when credentials are not fixed, define an application authenticate function. This function can authenticate a user in any way it wants. e.g. by fetching the user from the database. Extracting credentials from a received request can be done using get_credentials/1.

defmodule MyApp.Admin do
  def authenticate(request) do
    with {:ok, {user_id, password}} <- get_credentials(request) do
      # Find user and verify credentials
      {:ok, user}
    end
  end
end

NOTE: when comparing saved passwords with submitted passwords use secure_compare/2 to protect against timing attacks.

Challenging unauthorized requests

If a request is submitted with absent or invalid credentials a server should inform the client that it is accessing a resource protected with basic authentication. Use unauthorized/1 to create such a response.

NOTE

  • The Basic authentication scheme is not a secure method of user authentication https://tools.ietf.org/html/rfc7617#section-4

  • This module will be extracted to a separate project before the release of raxx 1.0

Link to this section Summary

Functions

authenticate(request, access_user_id, access_password)

Authenticate a request against fixed credentials

get_credentials(request)

Extract credentials submitted using the Basic authentication scheme

secure_compare(left, right)

Compares the two binaries in constant-time to avoid timing attacks. See: http://codahale.com/a-lesson-in-timing-attacks/

set_credentials(request, user_id, password)

Add a users credentials to a request to authenticate it

unauthorized(options)

Generate a response to a request that failed to authenticate

Link to this section Functions

Link to this function authenticate(request, access_user_id, access_password)

Authenticate a request against fixed credentials.

Link to this function get_credentials(request)

Extract credentials submitted using the Basic authentication scheme.

If credentials we not provided or are malformed an error is returned

Link to this function secure_compare(left, right)

Compares the two binaries in constant-time to avoid timing attacks. See: http://codahale.com/a-lesson-in-timing-attacks/

Link to this function set_credentials(request, user_id, password)

Add a users credentials to a request to authenticate it.

NOTE:

  1. The user-id and password MUST NOT contain any control characters
  2. The user-id must not contain a :
Link to this function unauthorized(options)

Generate a response to a request that failed to authenticate.

The response will contain a challenge for the client in the www-authenticate header. Use an unauthorized response to prompt a client into providing basic authentication credentials.

Options

  • realm: describe the protected area. default "Site"
  • charset: default "UTF-8"

Notes

  • The only valid charset is UTF-8; https://tools.ietf.org/html/rfc7617#section-2.1. A nil can be provided to this function to omit the parameter.

  • Validation should be added for the parameter values to ensure they only accept valid values.