search

languagetool-org / languagetool

Style and Grammar Checker for 25+ Languages
https://languagetool.org
GNU Lesser General Public License v2.1
12.33k stars 1.39k forks source link

Support BasicAuth in browser extension #4308

Open DaniSchenk opened 3 years ago

DaniSchenk commented 3 years ago

I installed my own server and I added Basic Auth to protect it. It works from the command line:

curl --data "language=en-US&text=a simple test" https://<user>:<pw>@languagetool.domain.tld/v2/check

{"software":{"name":"LanguageTool","version":"5.2","buildDate":"2020-12-30 14:55","apiVersion":1,"premium":false,"premiumHint":"You might be missing errors only the Premium version can find. Contact us at support<at>languagetoolplus.com.","status":""},"warnings":{"incompleteResults":false},"language":{"name":"English (US)","code":"en-US","detectedLanguage":{"name":"French","code":"fr","confidence":0.815771}},"matches":[{"message":"This sentence does not start with an uppercase letter.","shortMessage":"","replacements":[{"value":"A"}],"offset":0,"length":1,"context":{"text":"a simple test","offset":0,"length":1},"sentence":"a simple test","type":{"typeName":"Other"},"rule":{"id":"UPPERCASE_SENTENCE_START","description":"Checks that a sentence starts with an uppercase letter","issueType":"typographical","category":{"id":"CASING","name":"Capitalization"}},"ignoreForIncompleteSentence":true,"contextForSureMatch":-1}]}

The browser extension is not working. The extension works when the Basic Auth part of the URL is omitted. I also tried using only lowercase names and passwords, only URL save characters, but I had no luck. Am I missing something?

grafik

DaniSchenk commented 3 years ago

I took a quick look into the Firefox extension and could get this error message out of it:

Uncaught (in promise) {…}
message: "Verbindung zu https://user:password@languagetool.domain.tld/v2/check fehlgeschlagen (#1, code=undefined)"
reason: "ConnectionError"
response: "Window.fetch: https://user:password@languagetool.domain.tld/v2/check is an url with embedded credentials."
stack: undefined
status: 0
<prototype>: {…

FF and other browsers are preventing requests to URLs containing embedded credentials (for obvious reasons). So this issue is not a bug report.

However, my initial problem still persists. How do I secure my server if my clients (extensions) only provide one URL configuration option? The extension could extract embedded credentials from the URL and add them as Authorization Headers to the request instead, right?

danielnaber commented 3 years ago

How do I secure my server if my clients (extensions) only provide one URL configuration option?

I don't think this is supported. Maybe you could map the service to a secret URL like /hsdfosrgwr23dd/v2 instead of just /v2?