Webs_kit.Basic_auth
HTTP basic authentication
WARNING. Only for quick hacks over HTTPS. Nothing serious should be protected by that, the user name and password travel in plain text on each request. Without prevention it is easily amenable to cross-site request forgery attacks. Finally it is not possible for users to log out.
References.
The type for users. Note that since all this is utterly broken the user should not contain ':'
(U+003A) characters.
type check = user:user -> pass:string -> (unit, [ `User_unknown | `Wrong_password ]) Stdlib.result
The type for basic authentication password check. Really, don't use that. If this sources from storage at least hash your passwords.
val enticate : ?cancel:(Webs.Http.req -> Webs.Http.resp) -> check:check -> realm:string -> Webs.Http.req -> (user * Webs.Http.req, Webs.Http.resp) Stdlib.result
enticate ~check ~realm ~forbidden_body ~cancel req
is:
Ok (user, req)
if the basic authorization header in req
passes check
.Error (cancel req)
with a challenge for realm
if there is no authorization header or if check
failed. The page is only shown if the user cancels, defaults to an english HTML page that entices the user to try again via a link to self.Error resp
if the basic authentication failed to parse.