Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Currently if a route does not define authentication methods, the following flow happens:
a) If the route requires permissions and they all are available for the anonymous user, all authentication methods (ie. http_basic) will work since they simply add headers to the request. Cookie based authentication ignores them and simply returns the anonymous user, so the request will be authorized.
b) If the route requires extra permissions (for example, access administration pages), but no authentication methods have been defined, then http_basic won't work. There is a test that verifies this.
I have heard from @Crell and @linclark that all authentication methods should be available when none are defined.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | drupal-default-auth-providers-2064009-1.patch | 881 bytes | juampynr |
Comments
Comment #1
juampynr CreditAttribution: juampynr commentedHere is a extra test that verifies that a route with _access: TRUE can be authorized when the request is authenticated since the authentication headers will simply be ignored and the anonymous user has access to it.
Comment #2
BerdirThis was by design in the original issue. When nothing is specificed, only the default cookie authentication is available, I don't think we want to make everything accessible to basic auth by default?
Comment #3
juampynr CreditAttribution: juampynr commentedNo, the point is that we may need to change the logic so this test returns 200 instead of 403.
The above test attempts to access a route which requires an authenticated user with 'access administration pages' permission. It does not define any authentication providers so even though we authenticate the request with a valid user, the response code is 403.
I will ping @linclark in IRC to get more context about this requirement.
Comment #4
BerdirI know what you meant, but this seems like the correct behavior to me. Routes that don't define a specific authentication mechanism should use the default, not allow all. Many routes for example rely on being able to start a session, anything with forms for example. That will never work with basic auth.
Comment #5
juampynr CreditAttribution: juampynr commentedOK then. If @crell and @linclark agree on #4, we can close this issue.
Comment #6
linclark CreditAttribution: linclark commentedI'm fine with only allowing the explicitly enabled authentication on a route. The only thing that I think is important is that supported formats and supported auth work in the same way.
I have created an issue for that, #2065193: supported_formats and supported_auth should work in the same way. In order for that issue to be resolved, either this one needs to go through or we need to create an issue to change the way supported_formats works. I don't care which way it goes, but klausi said in IRC that he prefers this one go through. Hopefully he will comment here.
Comment #7
linclark CreditAttribution: linclark commentedDiscussed this with Klaus, we're both OK with switching the way that supported_formats works. We should double check with Crell, but I think we can probably close this.
Comment #8
Crell CreditAttribution: Crell commentedThe current behavior (if you don't specify anything, only cookies work) is by design. That's so that the 98% case of someone just sticking an HTML page at a given path doesn't have to worry about authentication mechanisms. Let's leave it as is.