Triply-Dev / YASGUI.YASQE-deprecated

Deprecated, see https://github.com/TriplyDB/Yasgui for the Yasgui monorepo
MIT License
73 stars 36 forks source link

Username/Password #94

Closed dcmcshan closed 7 years ago

dcmcshan commented 7 years ago

Is there a way to specify username/password for the endpoint?

Thanks!

LaurensRietveld commented 7 years ago

I suppose you mean an endpoint that is secured by basic authentication? I tried to solve this issue in a generic fashion here (https://github.com/OpenTriply/YASGUI/issues/45), but failed to. However, if you're planning to deploy yasqe on one endpoint specifically, and you control the endpoint as well as the YASQE page, this should be possible.

If you're in a position where you can hardcode the username/password in JS, you can simply set the Authorization header via this YASQE config:

{
  sparql: { 
    headers: { 
      Authorization: '<base encoded credentials>'
     }
  }
}

If you'd like to present something like a popup, it should be possible as well, by setting:

{
  sparql:
    xhrFields: {
      withCredentials: true
    }
  }
}

You may need to update your endpoint as well, as JS requests over basic auth are not allowed when the endpoint has a wildcard CORS setting. (you'll notice that soon enough when the above setting results in network errors in your browser developer toolbar)

dcmcshan commented 7 years ago

Thanks for the quick reply. I have tried the following to no avail, does it look correct?

var yasqe = YASQE(document.getElementById("yasqe"), { sparql: { showQueryButton: true, endpoint: "http://amc-tantor.ucdenver.pvt:10035/repositories/kabob-dev/", headers: { Authorization: ‘username:password' } } });

var yasqe = YASQE(document.getElementById("yasqe"), { sparql: { showQueryButton: true, endpoint: "http://amc-tantor.ucdenver.pvt:10035/repositories/kabob-dev/", xhrFields: { withCredentials: true } } });

We are using AllegroGraph, if that is relevant.

On Feb 1, 2017, at 2:48 AM, Laurens Rietveld notifications@github.com wrote:

I suppose you mean an endpoint that is secured by basic authentication? I tried to solve this issue in a generic fashion here (OpenTriply/YASGUI#45 https://github.com/OpenTriply/YASGUI/issues/45), but failed to. However, if you're planning to deploy yasqe on one endpoint specifically, and you control the endpoint as well as the YASQE page, this should be possible.

If you're in a position where you can hardcode the username/password in JS, you can simply set the Authorization header via this YASQE config:

{ sparql: { headers: { Authorization: '' } } }



If you'd like to present something like a popup, it _should_ be possible as well, by setting: 
{
sparql:
xhrFields: {
withCredentials: true
}
}
}

You may need to update your endpoint as well, as JS requests over basic auth are not allowed when the endpoint has a wildcard CORS setting. (you'll notice that soon enough when the above setting results in network errors in your browser developer toolbar)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <https://github.com/OpenTriply/YASGUI.YASQE/issues/94#issuecomment-276615024>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABPKhZNN98wX7mKw8nTR87tHb8EpTXhiks5rYFTqgaJpZM4LzfjE>.
LaurensRietveld commented 7 years ago

What are the message you see in your browser toolbar? For both methods there should be some network errors (I'm guessing they are CORS related)

dcmcshan commented 7 years ago

Yes. I think you are right. I am unwise in the ways of CORS. Is this something my IT guy will know how to fix? Or is it an Allegrograph issue? (I am using Allegrograph)

[Error] Cross-origin redirection to http://amc-tantor.ucdenver.pvt:10035/repositories/kabob-dev denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8801 is not allowed by Access-Control-Allow-Origin. [Error] Failed to load resource: Cross-origin redirection to http://amc-tantor.ucdenver.pvt:10035/repositories/kabob-dev denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8801 is not allowed by Access-Control-Allow-Origin. (kabob-dev, line 0) [Error] XMLHttpRequest cannot load http://amc-tantor.ucdenver.pvt:10035/repositories/kabob-dev/ due to access control checks.

And these errors, if I do it a slightly different way...

[Error] Failed to load resource: Preflight response is not successful (kabob-dev, line 0) [Error] XMLHttpRequest cannot load http://amc-tantor.ucdenver.pvt:10035/repositories/kabob-dev/. Preflight response is not successful

On Feb 3, 2017, at 3:13 AM, Laurens Rietveld notifications@github.com wrote:

What are the message you see in your browser toolbar? For both methods there should be some network errors (I'm guessing they are CORS related)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

LaurensRietveld commented 7 years ago

That's difficult to say: it can be either Allegrograph or a proxy (if there is any) in between such as nginx or apache. This should indeed be something the IT guy would be able to fix. I'd point him to this ticket first https://github.com/OpenTriply/YASGUI/issues/45 as this describes the problem a bit better.

In short, there should not be a wildcard cross-domain setting such as Access-Control-Allow-Origin:* as this may cause problems when authenticating using basic oauth. Instead, in something like nginx, you'd set the Acces-Control header based on one of the request headers: add_header 'Access-Control-Allow-Origin' "$http_origin"; This would have the same effect as a wildcard cors header, but you'd avoid the possible authentication issues

LaurensRietveld commented 7 years ago

closing. If there are other issues let me know