View ProjeQtOr On SourceForge.net
ProjeQtOr - Project Management Tool
Supportez nous sur Capterra
OIN - Open Invention Network
ProjeQtOr free project management software - API: Basic Auth without htpasswd - ProjeQtOr

Prochaines sessions de formation

Les prochaines formations et démonstrations sont ouvertes, inscrivez-vous rapidement !

 

Démonstration de ProjeQtOr

(gratuit, sur inscription)

Mardi 23 avril (10h30-12h)

Jeudi 16 mai (16h-17h30)

Jeudi 13 juin (10h30-12h)

  
 

Planifiez avec ProjeQtOr

3 et 4 avril (9h - 12h30)

  
 

Administrez avec ProjeQtOr

10 et 11 avril (9h - 12h30)

  

 

 
 

API: Basic Auth without htpasswd

More
10 Juil 2019 11:51 #1 by papjul
API: Basic Auth without htpasswd was created by papjul
Hi,

The API feature of ProjeQtOr is not well documented as far as I could find.
However, I understand that you need to duplicate passwords:
- If you're using Apache + your host allows you to write .htaccess/.htpasswd, you can use what is provided inside the api/ folder. Then you need to DUPLICATE the passwords as bcrypt or anything supported by the server.
- If you're using nginx or any other server, you need to write your own rules for basic auth on server side. And then again, list users and passwords.

If you change your password in ProjeQtOr, you also need to crypt it again and change it in .htpasswd. Each time you want to add an user, you need to edit this .htpasswd on the server. You understand that this is a headache.

This is why I created this topic to request Basic Auth implementation from PHP side.

Basically, in api/index.php, you only need to set the Response headers to:
WWW-Authenticate: Basic realm="My realm"

And set status code of the response to 401 (Authentification required).

Then, in api/index.php, check in database that password is correct (you are currently only checking if user exists). Variable for password is PHP_AUTH_PW.
Otherwise, you throw deny access.

No need for .htaccess/.htpasswd this way, this is working with any server, and credentials are checked against the latest password of the user in the database.
This is much much simpler for everyone.

Thank you,
The topic has been locked.
More
13 Juil 2019 18:54 #2 by babynus
Replied by babynus on topic API: Basic Auth without htpasswd
Target of authentication feature is not to have it easy, but to have it secure.
Idea of Basic auth through Apache is to be able to provide dupplicate authentication, with different passwords, one for Basic auth, on for projeqtor.
They don't need to be the same.
You'll find some exemples in old format user manual (ppt avaialble on download page)

I recorded your request, not sure we'll work on it.
Babynus
Administrator of ProjeQtOr web site
The topic has been locked.
More
15 Juil 2019 10:26 - 15 Juil 2019 10:33 #3 by papjul
Replied by papjul on topic API: Basic Auth without htpasswd
Hi babynus,

I just read the old documentation but I'm still not understanding your point.

Every user that wants to have access to API must crypt their (different) password by themself (how?) and send it to sysadmin if they want to have access to API or change their API password?
That is so overcomplicated, and on the contrary, it doesn't look more secure to me.

If "duplicate authentication, with different passwords" is really a security requirement, you can add apiPassword (user-editable) and hasApiAccess (ProjeQtOr administrator-editable, similar to "Is a contact") to the resource table. Voilà, you don't need sysadmin.
Last edit: 15 Juil 2019 10:33 by papjul.
The topic has been locked.
Moderators: babynusprotion
Time to create page: 0.034 seconds

Paramétrages de cookies

×

Cookies fonctionnels

Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.

Session

Veuillez vous connecter pour voir vos activités!

Autres cookies

Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.

Login Form