From l-infit@wieh.eu Tue Dec 14 17:31:11 2021 From: l-infit@wieh.eu To: davclients@lists.inf-it.com Subject: [Inf-IT DAVcl] Using HTTP Basic Auth Date: Fri, 16 Mar 2018 17:33:34 +0100 Message-ID: <20180316163334.GE1267@tina> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4789267209039321214==" --===============4789267209039321214== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi! I just want to share my hack, as it will likely be valuable to others as = well. I have a not so uncommon setup: People login via HTTP Basic Authenticat= ion (popup window in the webbrowser). The webserver manages the login via LDA= P. Once logged in, they have access to several webservices like wiki, file sa= fe (Nextcloud or something), InfCloud and others. So clearly I do not want an= y login page. The login credentials are known by the webserver and webbrowser= . The webbrowser will happily send them again without user interaction. Offic= ially there seems to be no way to login without the login screen, but without= hard-coding credentials in the config.js. Ok. Generally, this is not so easy, because in Javascript you cannot access t= he browser=E2=80=99s authentication cache=E2=80=94for good reason. But in my = case (and maybe in your case, too) the InfCloud files are provided by the sam= e webserver that also serves as the WebDAV server (DAViCal in my case); and a= lso by the same vhost. (This might later be important=E2=80=94see below. I ha= ve no special subdomain for DAViCal.) So there are no (additional) security c= oncerns in sending the credentials once again from the browser to the webserv= er and back again, so I can read them in my Javascript. Here is what I have d= one: 1) Rename InfCloud=E2=80=99s index.html to index.php. You should try this out. Maybe you better use another language, if PHP is not= available to your webserver. In my case, DAViCal is running on the same webs= erver, which is written in PHP. So, obviously, I can run PHP scripts. 2) In the lines around 620 in index.php, there are some hidden form fields (<= input id=3D"foo" type=3D"hidden" value=3D""/>. Add two more like this: "/> "/> The effect is, that the user gets back an HTML file with their login credenti= als in cleartext in there. Don=E2=80=99t do this, if this is risky in your se= tup. In most cases this should not be risky, as the browser knows the credent= ials anyway; as well as anyone who can read the traffic between the browser a= nd the InfCloud webserver. 3) In the beginning of the index.php, inside the section, there= are several lines starting with =E2=80=9C tag. The Javascript needs to be loaded after the rest of the document, because oth= erwise the Javascript code in the beginning would not have access to the cont= ent of the document, i.e. to our credentials. 4) In config.js, enable the globalAccountSettings method (that one with the h= ard-coded credentials). But instead of really hard-coding some credentials th= ere, you type (for example, if you have DAViCal installed in /cal/ and rewrit= e the URLs in your webserver config, so you can omit the part =E2=80=9C/calda= v.php=E2=80=9D): href: 'https://example.com:443/cal/'+document.getElementById('foo-login').val= ue+'/', userAuth: { userName: document.getElementById('foo-login').value, userPassword: document.getElementById('foo-pw').value }, If both the WebDAV server and the InfCloud files are below the same principal= URL (same vhost), then a better solution would be, if InfCloud would simply = try to access the WebDAV server without sending any login credentials. The We= bDAV server would then reply with 401 and the browser would resend the reques= t with the already-known credentials in the request header. This would be muc= h less of a hack. Maybe somene else wants to try that. Love Torsten --===============4789267209039321214==--