olssonm / l5-very-basic-auth Goto Github PK

Switched my environment from PHP 5.6 to 7.2 and prompt still works however after entering the correct password, it declines it.

As soon as I switch over to 5.6, the username/password combination works again.

I know PHP 7 is not supported but it would really help to support it in my situations where people are upgrading or migrating their hosts.

Will update to function properly with Laravel 5.4 ASAP. Just need orchestra/testbench to support 5.4 first to be able to run proper tests.

Authorization headers do not work as expected when using the Apache CGI-module.

It would be nice if there was a fix for this built in directly in the package to remove the need for a custom solution to circumvent this, as this issue might be common on shared hosting services. The only custom code that would be needed is a line in the .htaccess.

For reference:
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]

For previous discussion, see #5.

Hi,

I'm using your package for a fork of a dashboard package.
I'd like to show the page on a old raspberry pi in the Epiphany Browser (v3.8.2) in kiosk mode.

But the site could not been loaded. The browser don't stop loading the page and don't show the authentication dioalog as expected.

Since I can solve this with native apache basic authentication, this is not critical at all. But I thought this could be a Problem with some Browsers want to be fixed.

Hope it helps.

このパッケージは日本人のユーザーがたくさんいるますけど、ドキュメンテーションは英語だけです。誰かが私を助けることができますか。

(すみません、私の日本語はあまりよくないんです)

Hi,

every time I open the my test page I get the prompt to enter details, enter them and get another prompt. This is due to the fact, that $request->getUser() and $request->getPassword() are always empty. In postman and curl I simply get the error message.

I installed laravel in a subfolder, could it be some redirect issue? Maybe I have to enter something in .htaccess?

thanks

This is a huge security risk for debug/test environments.

Seems like you should not respond with a Laravel response object.

Support for PHP 8 is available and has been tested.

However, Travis CI doesn't seem to support PHP 8 just yet so the build is failing. Until all tests has been passed I will not put out a new release.

In the meanwhile – if PHP 8 support i critical, require the hash bfd6e8a on dev-master. I.e:

composer require olssonm/l5-very-basic-auth:dev-master#bfd6e8a

Hi and thanks for creating the package.

I have a multi-lingual site and would like to customize the 'opt out / cancel' message.
I tried updated the 'very_basic_auth.php' config file to include

'error_message'     =>  trans('auth.opt_out')

but get an error. Is this supported? Is there a different way of doing this?

Thanks in advance

Hi, as the title suggests;

# Inline
Route::group(['middleware' => 'auth.very_basic:admin,password'], function() {
    ...
});

# Config
Route::group(['middleware' => 'auth.very_basic:services.xservice.basic_auth'], function() {
    ...
});

Basically the config part can be negated as can be used as:

Route::group([ 'middleware' => 'auth.very_basic:' . config('services.xservice.basic_auth') ], function() {
    ...
});

Thank you. Package works great - straight out of the box, though the creation of the config file in the vendor folder (which should be write-only to web processes) is a little disconcerting.

Anyway, my requirement. I would like to be able to protect a route or group using basic auth details, but I don't want the browser to pop up with a user credentials box. This is specifically for a machine-to-machine API, so no user will ever be logging in, and any user encountering the route should not be given clues that basic auth is in place on that route.

The idea is just to return a 401 without the WWW-Authenticate header, or better still a 404 - no clues that a route is there.

Obviously it's not going to stop a brute force attempt given the knowledge about the route, but a little security-by-obscurity should help to reduce the likelihood of it happening.

Is this something you would be interested in supporting, if I had a PR?

I'm having this error in my production logs:

file_put_contents(/var/www/vendor/olssonm/l5-very-basic-auth/src/config.php): Failed to open stream: Permission denied

It happens every few seconds. Besides that the authentication is working.

I have published the configuration file in my config folder.

There are a few places where "=" is used instead of the correct "=>" for arrays in the documentation.

A random password (using str_rand()) should be set when running $ php artisan vendor:publish – don't want users accidentally going live with a weak password that is easily findable.

Would be nice if you could input an encrypted password in the config file so that its not in clear text.