Fix WWW-Authenticate header for requesting Basic authentication

inhabitedtype / ocaml-webmachine

A REST toolkit for OCaml

Other

221 stars 31 forks source link

Fix WWW-Authenticate header for requesting Basic authentication #60

Closed ansiwen closed 8 years ago

seliopou commented 8 years ago

This is a good catch. I meant for the Basic variant to be the interface to the WWW-Authenticate header, but it seems as if this requires more thought. Accepting the PR to get the current name in line with what it should do, but this will likely be tweaked in the future to expose more of the functionality of the header. With respect to that, suggestions are welcomed.

ansiwen commented 8 years ago

To my knowledge the header has not much more functionality. If you have a case for the Basic authentication, then there is only the realm to be set. Before this fix I had to return `Basic "Basic realm = \"foobar\"", so the double "Basic" is really redundant, and there is no other option than realm. So I think it is good enough like it is now.

seliopou commented 8 years ago

The WWW-Authenticate header can be used for more than just the basic authentication scheme. The idea was originally to allow raw access to the header through the Basic variant, but it was just poorly-named. Really, the auth type should look something like this:

type auth =
  [ `Authorized
  | `Challenge { scheme : string; realm : string; params : (string * string) list }
  | `Redirect of Uri.t
  ]

Then you could do a basic authentication challenge like this:

`Challenge { scheme = "Basic"; realm = "foobar"; params = [] }