>From inspecting the code, my impression is that:
>1. There is an off-by-one src/tipideed/cgi.c#L95-L101, as that would explain the truncation just one character _before_ the space, rather than _at_ the space.
Yup, you're right, it's a bug! Thanks for the report, will fix.
>2. There is a missing env var for passing the actual token, probably intended to avoid passing the username:password in the basic auth case.
>
>If 2 is indeed intended, maybe adding a config option for certain CGI scripts to receive it might be a good idea.
Now this is a bit hairier.
The CGI specification does not specify any way to pass the actual
token,
and in fact, recommends *against* it:
"The server is not required to create meta-variables for all the
header fields that it receives. In particular, it SHOULD remove any
header fields carrying authentication information, such as
'Authorization'"
So, apparently, the CGI protocol expects the HTTP server to perform
any and all authentication before running a script, and the AUTH_TYPE
variable is only provided to the script as information that some
authentication took place.
A quick search confirmed that people indeed generally feel that
authentication information should not be passed to CGI scripts,
because it gives too much trust to scripts. That said, Apache has
the CGIPassAuth option to do that.
But I also found a Reddit thread on r/openbsd where someone recommends
using cookies when you're using the Bearer authentication scheme:
https://www.reddit.com/r/openbsd/comments/usyzu7/comment/i9d4gd0/
When I've fixed the AUTH_TYPE bug, can you solve your Bearer scheme
problem with cookies? I can probably add a CGIPassAuth option to
tipidee but it will take a little longer.
--
Laurent
Received on Tue Dec 31 2024 - 10:19:28 CET