docs: explain authentication

Question

docs: explain authentication

Regaez opened this issue 5 years ago · 6 comments

We should create a docs/AUTHENTICATION.md file which explains the following:

explain authorisation using Grav Sessions
how to authenticate API requests using Basic auth
roles and their related permissions
how to define API roles on user accounts
how to create groups, and inherit group permissions as a user
explain taxonomy-based permissions
make a note about PHP-CGI and .htaccess workaround

Answer 1 · 2020-04-06T17:32:13.000Z

Please, can you help me to use API request?
I tried with ajax:

$.ajax({
    url: '/api/pages/my-page',
    beforeSend: function(xhr) {
        xhr.setRequestHeader('Authorization', 'Basic ' + btoa(USERNAME + ':' + PASSWORD));
    }
});

The payload response was:

{"message":"Bad credentials","documentation":"https:\/\/github.com\/regaez\/grav-plugin-api\/tree\/master\/docs"}

I used an account with this permission:

access:
  api:
    super: 'true'

The $request->getHeader('PHP_AUTH_USER') is empty.
I'm sorry to write here, but I don't know who to ask.
Thanks

Answer 2 · 2020-04-06T19:03:02.000Z

@masetto Hmm. Based on your example code, that appears like it should work... Are you using PHP-CGI on your server?

Answer 3 · 2020-04-06T19:15:12.000Z

@Regaez I use PHP FastCGI.
Now I added these lines to my .htaccess:

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

and it works!
I didn't know about this problem.

Answer 4 · 2020-04-06T20:20:16.000Z

Great! Thanks for commenting, I'll make sure to add this to the documentation when I get around to it.

Make sure you are also using HTTPS so you don't leak your credentials.

Answer 5 · 2020-04-07T07:20:18.000Z

@Regaez If I want to use the API "internally" (from the same site where API are installed), from a user logged in session, but I don't know his password, can I do it?

Answer 6 · 2020-04-07T09:09:01.000Z

This is currently not possible, as the authentication middleware only checks for Basic auth. However, it should be totally feasible, providing your site has a login plugin installed which adds the user to the session.

I hadn't considered this use case at all, but this would be a great feature to have in the API. I have created a new issue for this and will prioritise it for development. Please track the following issue: #78