Module `Webs_kit.Basic_auth`

HTTP basic authentication

WARNING. Only for quick hacks over HTTPS. Nothing serious should be protected by that, the user name and password travel in plain text on each request. Without prevention it is easily amenable to cross-site request forgery attacks. Finally it is not possible for users to log out.

References.

R. Fielding et al. Hypertext Transfer Protocol (HTTP/1.1): Authentication. 2014
J. Reschke. The 'Basic' HTTP Authentication Scheme. 2015

type user = string: The type for users. Note that since all this is utterly broken the user should not contain ':' (U+003A) characters.

type check = user:user -> pass:string -> (unit, [ `User_unknown | `Wrong_password ]) Stdlib.result: The type for basic authentication password check. Really, don't use that. If this sources from storage at least hash your passwords.

val enticate : ?⁠cancel:(Webs.Req.t -> Webs.Resp.t) -> check:check -> realm:string -> Webs.Req.t -> (user * Webs.Req.t, Webs.Resp.t) Stdlib.result

enticate ~check ~realm ~forbidden_body ~cancel req is:

Ok (user, req) if the basic authorization header in req passes check.
A 401 response Error (cancel req) with a challenge for realm if there is no authorization header or if check failed. The page is only shown if the user cancels, defaults to an english HTML page that entices the user to try again via a link to self.
A 400 bad request Error resp if the basic authentication failed to parse.