joshdick / miniProxy

🚨⚠️ UNMAINTAINED! ⚠️🚨 A simple PHP web proxy.
http://joshdick.github.io/miniProxy
GNU General Public License v3.0
860 stars 545 forks source link

Add very basic HTTP authentication. #101

Closed magnific0 closed 6 years ago

magnific0 commented 6 years ago

As title says, this adds very basic authentication to the script. The solution is simple and self-contained and in spirit with miniProxy. It supports different users.

Passwords are stored plaintext in the file. I don't think this is an issue, but people should be aware.

No logout functionality, but to logout simple send a bad (non-existent) username, like so:

https://baduser@example.com/miniProxy.php

joshdick commented 6 years ago

Neat idea.

Have you tested this in combination with proxied basic authentication requests? If I load https://httpbin.org/basic-auth/user/passwd through the proxy code in this PR with $authenticate = true;, I am unable to authenticate to httpbin.org (with credentials user/passwd) or to miniProxy itself using the example credentials you've hardcoded.

Nice use of hunter2 though. 😆

magnific0 commented 6 years ago

@joshdick thanks! I have just checked and it is exactly as you describe. The problem is that for the browser the Authorization header to httpbin.org and the domain that hosts miniProxy are indistinguishable.

As is, it only works in the case where both miniProxy and target site use the same credentials. This approach works for multiple sites, as the userdb can hold multiple entries. But the security of permanently storing external credentials is pretty questionable.

Other solutions will need to use cookies or sessions, which I was trying to avoid. An interesting solution is to set the "Authorization" header to a domain specific session/cookie entry. This also solves the current need to re-authenticate if you switch between sites with miniProxy. E.g. going back and forth between httpbin.org and (httpwatch:httpwatch):

https://www.httpwatch.com/httpgallery/authentication/authenticatedimage/default.aspx

I would prefer sessions over cookies as the server already needs to be trusted.

joshdick commented 6 years ago

Because of the inherent security issues with sharing credentials between miniProxy and proxied sites, and because implementing sessions would add more complexity to miniProxy than I believe is worthwhile, I am not going to pursue this idea further.

Even so, thanks very much for suggesting it!