Document the motivation for restws_basic_auth_user_regex [#1946108]

The restws_basic_auth_user_regex variable has the following documentation.

Per default only user names starting with "restws" will be tried to log in. This
can be configured with the "restws_basic_auth_user_regex" variable, which allows
you to define an arbitrary pattern that the user names must match. This avoids
unecessary login attempts for standard human users on protected sites.

You can configure the regex (suitable for preg_match()) in your settings.php,
e.g.:

$conf['restws_basic_auth_user_regex'] = '/^web_service.*/';

and in code comment:

// Login only user names that match a pattern.

Can you clarify why someone wouldn't want to set it to just

$conf['restws_basic_auth_user_regex'] = '/.*/';

Comment	File	Size	Author
#8	restws-docs_and_more_lenient_by_default-1946108-8.patch	2.09 KB	pachabhaiya
#3	1946108_docs_and_more_lenient_by_default.patch	1.46 KB	greggles

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

emmonsaz CreditAttribution: emmonsaz commented 27 March 2013 at 17:39

I agree. I don't even see why this check is needed. I vote for removing the regex check altogether -- it only causes new user confusion and is difficult to troubleshoot.

Comment #2

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 28 March 2013 at 21:58

The purpose of this variable comes from development sites that are protected with HTTP basic auth in general. So you always need to send HTTP auth user name and password along when visiting the site with your browser and at the same time restws will always try to log you in with that same credentials. That is annoying and can have unwanted side effects when trying to login via a form for example.

For my use cases we always had a limited set of special users that performed the API requests so it was easy to restrict them with this regular expression. It allowed us to still use HTTP basic auth protected dev sites while restws_basic_auth is enabled.

So I don't really want to remove that regex check, but perhaps we could make it more friendly for starters? Take the all-in regex proposed by greggles as default value? Or even better: check if the variable actually exists before regex-ing at all.

Patches welcome!

Comment #3

greggles

he/him

English

Denver, Colorado, USA

CreditAttribution: greggles commented 29 March 2013 at 00:19

Status:

Active

» Needs review

File	Size
1946108_docs_and_more_lenient_by_default.patch	1.46 KB

Ah, that makes sense.

Attached is a patch to document this. I think my statements are accurate, concise, and sufficiently explanatory. I also defaulted it to all users (at least I think I did - didn't test the regex).

Comment #4

emmonsaz CreditAttribution: emmonsaz commented 1 April 2013 at 19:59

@klausi, thanks for the explanation - the use case for the regex check now makes sense and I think the @greggles patch is a good compromise

Comment #5

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 11 June 2013 at 09:50

Status:

Needs review

» Needs work

+++ b/restws_basic_auth/README.txt
@@ -15,3 +15,13 @@ You can configure the regex (suitable for preg_match()) in your settings.php,
+
+You might need this variable if, you have a site that is already behind Basic
+Auth (e.g. a test site being kept hidden from search engines). When you
+authenticate a user in that realm you probably don't want this module to try to
+authenticate them as a Drupal user.
+
+To authenticate all users, you can use a value like this (which is the default):
+

that contradicts the existing paragraph above, we should adapt/rewrite that.