The API feature of ProjeQtOr is not well documented as far as I could find.
However, I understand that you need to duplicate passwords:
- If you're using Apache + your host allows you to write .htaccess/.htpasswd, you can use what is provided inside the api/ folder. Then you need to DUPLICATE the passwords as bcrypt or anything supported by the server.
- If you're using nginx or any other server, you need to write your own rules for basic auth on server side. And then again, list users and passwords.
If you change your password in ProjeQtOr, you also need to crypt it again and change it in .htpasswd. Each time you want to add an user, you need to edit this .htpasswd on the server. You understand that this is a headache.
This is why I created this topic to request Basic Auth implementation from PHP side.
Basically, in api/index.php, you only need to set the Response headers to:
WWW-Authenticate: Basic realm="My realm"
And set status code of the response to 401 (Authentification required).
Then, in api/index.php, check in database that password is correct (you are currently only checking if user exists). Variable for password is PHP_AUTH_PW.
Otherwise, you throw deny access.
No need for .htaccess/.htpasswd this way, this is working with any server, and credentials are checked against the latest password of the user in the database.
This is much much simpler for everyone.
Target of authentication feature is not to have it easy, but to have it secure.
Idea of Basic auth through Apache is to be able to provide dupplicate authentication, with different passwords, one for Basic auth, on for projeqtor.
They don't need to be the same.
You'll find some exemples in old format user manual (ppt avaialble on download page)
I recorded your request, not sure we'll work on it.
I just read the old documentation but I'm still not understanding your point.
Every user that wants to have access to API must crypt their (different) password by themself (how?) and send it to sysadmin if they want to have access to API or change their API password?
That is so overcomplicated, and on the contrary, it doesn't look more secure to me.
If "duplicate authentication, with different passwords" is really a security requirement, you can add apiPassword (user-editable) and hasApiAccess (ProjeQtOr administrator-editable, similar to "Is a contact") to the resource table. Voilà, you don't need sysadmin.
En poursuivant votre navigation, vous acceptez le dépôt de cookies tiers destinés au bon fonctionnement et à la sécurisation du site (gestion de session, reCaptcha) et à une analyse statistique anonymisée des accès sur notre site (Google Analytics). Si vous vous inscrivez, les informations que vous fournirez ne seront jamais divulguées à un tiers sous quelque forme que ce soit. En savoir plus
Cookies settings
×
Functional Cookies
Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.
Session
Please login to see yours activities!
Other cookies
Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.