Web 2.0 - Basic Auth

Hello,

I’m trying to convert one of my WEB 1.0 project to WEB 2.0.
In WEB 1.0 I’m using BasicAuth to authenticate.
Now I’m wondering if there is an example to get BasicAuth running on WEB 2.0.
Did anyone already get this running?

Assuming you’re doing it with HandleSpecialURL or HandleURL in Web 1, the technique is nearly identical. You use HandleURL and the main difference is that the response and request were separated, so in all the places where you were setting values on the Request object in web 1, they now need to be set on the Response object.

If you’re still having trouble, show your code.

1 Like

I guess Ricardo was working on an intranet example, it will be nice if he could develop it more and include all the options that modern apps are using. GitHub - piradoiv/intranet-example: Intranet skeleton example for Xojo Web

1 Like

Hello Greg,

I modified an old example of BasicAuth to Web2.0 but it’s doing nothing.

Dim result As Boolean
Dim authHeader, items(), auth, username, password As String
Dim i As Integer

result = False

If request <> Nil Then
  System.DebugLog("Request Path: " + request.Path)
  If request.Path = "basicAuth" Then
    authHeader = request.Header("Authorization")
    System.DebugLog("authHeader: " + authHeader)
    If authHeader <> "" Then
      items = authHeader.Split(" ")
      For i = items.Ubound DownTo 0
        If items(i) = "" Then
          items.Remove(i)
        End If
      Next
      
      If items.Ubound = 1 And items(0) = "Basic" Then
        auth = DecodeBase64(items(1))
        
        username = auth.NthField(":", 1)
        password = auth.NthField(":", 2)
        
        Response.Write username + "</br>" + password
        Response.Status = 200
        result = True
      End If
      
    Else
      Response.Header("WWW-Authenticate") = "Basic realm=""basicAuth"""
      Response.Status = 401
      System.DebugLog("Status: 401")
      result = True
      
    End If
    
    If Not result Then
      Response.Header("WWW-Authenticate") = "Basic realm=""basicAuth"""
      Response.Status = 401
      System.DebugLog("Status: 401")
      result = True
      
    End If
  End If
  
End If

I also tried the example of Ricardo “Intranet Example” but it’s not using basic auth.
It’s fine if you are using it in a secure environment.
I wouldn’t use it in the shark tank.
You are able to manipulate db-contents if you are using a vulnerability scanner on this kind of authentication.

On basicAuth you can run brute force attacks, but you cannot alter data if you aren’t logged in.

Well I immediately see some issues:

  1. Request will never be nil.

  2. The browser doesn’t use a different path so Request.Path will never be “basicAuth”

  3. The server should not return the username & password. Remove this line:

Response.Write username + "</br>" + password

  1. You set the result property but you don’t return it at the bottom.

Even better.
This is something I can work with.
Thanks a lot, Greg.