Provide a basic Auth example in the examples

[TylerLeonhardt]

This is possible with middleware but it's not apparent.

We essentially need to do what Passport did for Expressjs

[TylerSiegrist]

Is there already HTTPS support? That should probably be added before authentication is used.

[TylerLeonhardt]

That's a good point. I'll have to look into this.

Throwing this link down so I don't forget: https://stackoverflow.com/questions/11403333/httplistener-with-https-support

[TylerLeonhardt]

Probably can hook in LetsEncrypt in some way

[TylerSiegrist]

Might want to keep it agnostic or provide a way to use a cert installed on the local machine. Some companies like their own internal certs for this kind of thing. 😄

[Tiberriver256]

Just some notes here on authentication with HttpListener.

HttpListener supports the following authentication schemes natively (Just set $Listener.AuthenticationSchemes):

1. Basic
2. NTLM
3. Digest
4. IntegratedWindowsAuthencation
5. Negotiate
6. None
7. Anonymous

The default is anonymous. I'm not sure how NTLM and IntegratedWindowsAuth work on a Linux box (I tried and kept getting a 401, maybe it has to be joined to an Active Directory domain?) but Basic works great. It adds a User property to the $Context object returned by GetContext.

An article on the topic: https://leastprivilege.com/2006/05/06/httplistener-authentication-and-asp-net/

I'm not sure if we can get the Active Directory based stuff working cross-platform but it would open up a lot of powerful possibilities. $Context.User.Impersonate() for example would let you run scripts impersonating the calling user instead of the account executing the script. Meaning you could run your server with the lowest possible privileges needed to run the server (admin isn't needed for non-localhost listening if the name is registered ahead of time) and let the authenticating user elevate privileges.

That being said, I like taking a middle-ware approach to things as well. Especially for something like a passport-js to support OAuth with AzureAD, JWT, or Bearer token auth scenarios.

I think we (and PowerShell in general) is missing a really good module dependency manager (something like npm) that can manage, install, update, and import modules all local to a module inside like a pwsh_modules folder or something like that. Maybe the regular packagemanagement module does that and I'm not aware?

Also, created a new issue to track the https discussion in #107

[TylerLeonhardt]

I agree. HttpListener supplies some really interesting auth scenarios (some very unique). My biggest worry is that they really only apply on Windows.

Especially for something like a passport-js to support OAuth with AzureAD, JWT, or Bearer token auth scenarios.

I love passport-js (if you couldn't guess by me mentioning it in the issue)!

The other option here is to investigate Kestrel. I opened an issue a while back regarding that. #12

Since HttpListener is not getting any love from the .NET team anymore (details in #107), maybe it's worth investigating?

[Tiberriver256]

I would love to figure out Kestrel especially with the comments from the .NET team. Looks like the context object might be similar enough it wouldn't be a giant giant PR but would probably need some work. In the mean time though we can shy away from using stuff built into HttpListener as like another middleware, that should eliminate rework.

[TylerLeonhardt]

Yeah I totally agree :)