When module services_basic_auth is used with Rest Server (https://www.drupal.org/project/rest_server) it fails to secure an endpoint configured to require HTTP basic authentication.

Rest Server Endpoint

Requesting resource from this endpoint returns 200 OK instead of 401 Unauthorized

REST Client

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

klaatuveratanecto created an issue. See original summary.

klaatuveratanecto’s picture

I have created a patch that fixes it.

vblanco7’s picture

It's Work!! Thank you so much!! :)

f0ns’s picture

My user/register functionality stopped working after this patch, I'll look into this tomorrow.

I get the following now when user/register is called: (Unauthorized : No credentials were supplied in the request.)

My call from an AngularJS app is the following:

     $http({
          method: 'POST',
          url: config.endpoint + '/api/user/register',
          dataType: 'json',
          data: {
            'mail': email,
            'pass': password,
            'status': 1,
          },
        })
          .success(function (data, status, headers, config) {
            deferred.resolve(data);
            $ionicLoading.hide();

          })
          .error(function (data, status, headers, config) {
            deferred.reject(data);
            $ionicLoading.hide();
          });

        return deferred.promise;
      },
markpavlitski’s picture

Assigned: klaatuveratanecto » Unassigned
Status: Active » Closed (works as designed)

@klaatuveratanecto - this happens by design.

This module only provides authentication on behalf of services module, it does not deal with request authorization. It will not block requests, that is up to services and Drupal's permission system.

If an anonymous user has permission to access the data displayed in the endpoint, then the request will succeed even if the request is un-authenticated.

Furthermore, services allows more than one authentication mechanism to be used and they are tried in sequence, implementing the patch provided would break that behaviour.

markpavlitski’s picture