SWI-Prolog -- library(http/http_authenticate): Authenticate HTTP connections using 401 headers

3.7 library(http/http_authenticate): Authenticate HTTP connections using 401 headers

This module provides the basics to validate an HTTP Authorization header. User and password information are read from a Unix/Apache compatible password file.

This library provides, in addition to the HTTP authentication, predicates to read and write password files.

http_authenticate(+Type, +Request, -Fields)

True if Request contains the information to continue according to Type. Type identifies the required authentication technique:

basic(+PasswordFile): Use HTTP Basic authentication and verify the password from PasswordFile. PasswordFile is a file holding usernames and passwords in a format compatible to Unix and Apache. Each line is record with : separated fields. The first field is the username and the second the password hash. Password hashes are validated using crypt/2.

Successful authorization is cached for 60 seconds to avoid overhead of decoding and lookup of the user and password data.

http_authenticate/3 just validates the header. If authorization is not provided the browser must be challenged, in response to which it normally opens a user-password dialogue. Example code realising this is below. The exception causes the HTTP wrapper code to generate an HTTP 401 reply.

(   http_authenticate(basic(passwd), Request, Fields)
->  true
;   throw(http_reply(authorise(basic, Realm)))
).

Fields

is a list of fields from the password-file entry. The first element is the user. The hash is skipped.

To be done: Should we also cache failures to reduce the risk of DoS attacks?

[semidet]http_authorization_data(+AuthorizeText, ?Data)

Decode the HTTP Authorization header. Data is a term

Method(User, Password)

where Method is the (downcased) authorization method (typically basic), User is an atom holding the user name and Password is a list of codes holding the password

[nondet]http_current_user(+File, ?User, ?Fields)

True when User is present in the htpasswd file File and Fields provides the additional fields.

Fields

are the fields from the password file File, converted using name/2, which means that numeric values are passed as numbers and other fields as atoms. The password hash is the first element of Fields and is a string.

[det]http_read_passwd_file(+Path, -Data)

Read a password file. Data is a list of terms of the format below, where User is an atom identifying the user, Hash is a string containing the salted password hash and Fields contain additional fields. The string value of each field is converted using name/2 to either a number or an atom.

passwd(User, Hash, Fields)

[det]http_write_passwd_file(+File, +Data:list)

Write password data Data to File. Data is a list of entries as below. See http_read_passwd_file/2 for details.

passwd(User, Hash, Fields)

To be done: Write to a new file and atomically replace the old one.

[multifile]http:authenticate(+AuthData, +Request, -Fields)

Plugin for library(http_dispatch) to perform basic HTTP authentication.

This predicate throws http_reply(authorise(basic, Realm)).

`AuthData`	must be a term `basic(File, Realm)`
`Request`	is the HTTP request
`Fields`	describes the authenticated user with the option `user(User)` and with the option `user_details(Fields)` if the password file contains additional fields after the user and password.