Created by: ybelenko
PR checklist
-
Read the contribution guidelines. -
Ran the shell script under ./bin/to update Petstore sample so that CIs can verify the change. (For instance, only need to run./bin/{LANG}-petstore.shand./bin/security/{LANG}-petstore.shif updating the {LANG} (e.g. php, ruby, python, etc) code generator or {LANG} client's mustache templates). Windows batch files can be found in.\bin\windows\. -
Filed the PR against the correct branch: master,3.1.x,4.0.x. Default:master. -
Copied the technical committee to review the pull request if your PR is targeting a particular programming language.
Description of the PR
Basic auth middleware verifies token from Authorization header.
If token not verified it returns 401 http status code and quits script execution.
User needs to implement My code swapped with tuupola/slim-basic-auth package.
For a quick start, user needs to implement own verifyCredentials method in AuthBasic.php. By default this method always returns false to avoid security holes on production.authenticator in SlimRouter class:
$basicAuth = new HttpBasicAuthentication([
"secure" => false,
"authenticator" => function ($arguments) {
$user = $arguments["user"];
$password = $arguments["password"];
// write your own code here, compare credentials with database etc.
return false;
}
]);Test endpoint with Basic auth:
$ curl -X POST "http://petstore.swagger.io:80/v2/fake" \
-H "accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "number=33&double=68.9&pattern_without_delimiter=FooBar&byte=fdfdfdf" -iOutput:
HTTP/1.1 401 Unauthorized
Date: Tue, 24 Jul 2018 08:54:42 GMT
Server: Apache/2.4.23 (Win64) PHP/7.2.7
X-Powered-By: PHP/7.2.7
WWW-Authenticate: Basic realm="Protected"
Content-Length: 0cc @jebentier @dkarlovi @mandrean @jfastnacht @ackintosh