On 05 May 2014, at 08:22, Dariush Forouher dariush@forouher.de wrote:
Hi Ján!
I'm using apache basic_auth on my webserver that runs Davical and caldavzap/mate.
While caldavzap doesn't seem to be negatively affected by basic_auth, unfortunately it doesn't take advantage of it either. In theory it could skip the login screen and jump right into the calendar. Instead one has to enter his credentials again.
no, basic auth is not related to "fast login" or anything similar. Basic auth = authentication where your username and password is send in the request header without encryption. Another authentication is the Digest auth which uses multiple request/responses and sends your password in hashed form.
Yes, I'm using Basic Auth over TLS:
apache config: [...] AuthType Basic AuthName "My secret area" [...]
You're right, it doesn't offer anything like "fast login" (the user still has to enter her password, just in a popup window presented by the browser).
What Basic Auth *does* offer is a simple way to achieve single-sign-on across wildly different web applications, as the browser will cache the credentials during its runtime.
You are partially right :-) ... the problem is that this approach works well for basic web sites, but not for JavaScript *applications*. If a web application needs to send username+password directly in the request, then it simply needs to know the username/password (and it cannot read these from the browser /there is no API for that/).
"/auth/" shows that caldavzap correctly receives username/password from the webserver (even when not "logged in" in caldavzap).
No, the auth module cannot return the username/password if you are not logged in. You very probably entered your username + password into the browser authentication window and saved them. Then if you open the /auth/ URL your browser sends the username + password automatically.
Yes, precisely.
Is there a way to make caldavzap (and *mate) to skip the login-screen in such a setup?
It looks like you don't understand the reason why the auth module exists. The MAIN reason is to prevent the browser to show the auth popup if you enter invalid username/password into the login windows (because this problem is no solvable in pure JavaScript).
Yeah, the concept of the auth module is a bit fuzzy to me, and maybe it doesn't have anything to do with what I try to achieve (i.e., make caldavzap somehow acquire the credentials provided by the browser).
How I understand caldavzap is that it is running partially as PHP on the server and partially in the browser as JS. I don't have much experience with JS-based apps like this. Old-school web applications like PHP-based ones could easily be modified to make use of the PHP_AUTH_* variables so that they would skip their login-screen.
No, CalDavZAP is pure JavaScript application, but it has one major limitation: if it sends the username+password directly to the *DAV server and these credentials are invalid, then your browser shows the auth popup window (because it handles the WWW-Authenticate: response header) what breaks the consistency of the GUI. There are 2 possible solutions for this problem:
1.) do no send the "WWW-Authenticate:" header if the client is CardDavMATE or CalDavZAP (X-Client header) ... this approach requires changes on server side
2.) create a "proxy" module, which sends username+password to the *DAV server and if the authentication is unsuccessful it NOT returns the "WWW-Authenticate:" header back to the client (=> no auth popup); the login process (only the login process) then looks like:
Client => Auth module => Server
I'd like to do the same with caldavzap. As caldavzap seems to run primarily as JS in the browser, it obviously doesn't have access to the PHP_AUTH_* environment variables. I just wonder whether you might know a way to make this work regardless.
As I mentioned earlier there is no way to get the username/password from the browser back to the JavaScript. And if you don't know the username, then you there is no principal URL => it will not work.
What you can try is:
1.) use the globalAccountSettings option with empty ('') username+password and href option set to principal URL with invalid user part (such as "xxx") and then use rewrite rules on server side and replace the "xxx" username (from the auth variables) before the request reaches the *DAV server
2.) change the source code and perform the request to the auth module without requiring click to the "Login" button. The reason why there is no such option is that I really hate it, because of the stupid implementation of the basic auth by browsers (there is no way to logout without browser restart)
JM
regards Dariush