0

I'm working on writing API for web-project. For identifying API users basic authentication is used. And in order to test API call I can use curl command line tool and write something like this:

curl -H "Authorization: Basic Tm9TY1hETjRGNjIwZ1FwcTZOMENjMHczSjJDTjFlcnM6VmhWM21kUHF1MkIyMjFDaWRKVE4odyYmbyRpTEBsM0U=" http://example.com/api/function

On the test server we have HTTP authentication. I've uploaded scripts with API functionality and now I don't understand how I can make call to the API function on the test server. How I can provide username and password for HTTP authentication and after provide username and password for API?

Tamara
  • 2,910
  • 6
  • 44
  • 73
  • Note that cURL can do more work for you. Check out the `--user` option to avoid handcrafting the base 64 header yourself. As for your question, I don't think you can, but I'd appreciate to be wrong. The problem is about double authentication... Can you change your test server to just accept tunneled traffic? Then no need for HTTP authentication... – Eric Platon Dec 31 '14 at 15:45
  • @EricPlaton Hi. Thank you for answer. What about --user option, I tried it but I receive error "!eUz-774SB%jD!g$8cJnG : event not found". I suppose it's because of special characters in API credentials. Here is an example of password and username: kJKh4VpY4El8OKSE529gPn7doOP485wk:y58pspmFQAD!eUz-774SB%jD!g$8cJnG Is there any way to handle credentials with special characters? – Tamara Dec 31 '14 at 15:57
  • Your shell may be interpreting chars. How about using double quotes around? E.g. `--user "username:password"`, or single quotes if needed. – Eric Platon Dec 31 '14 at 16:22

1 Answers1

0

Basically, you are trying to perform two authentications in a row, with the same method. This is not a scenario covered by [this authentication protocol][1]---so in short, you cannot with standard settings.

The reason why the protocol cannot cater with this scenario is a header clash: The first challenge will use the WWW-Authenticate / Authorization header pair, as well as the second in a single request.

One way to allow for a double authentication requires changes (that you may not be allowed to do):

  • You could have the first authentication process accept two pairs of headers, authenticate against the first one, and then rewrite the headers for the second authentication process. This should be fine for a test environment, provided the environment contains no security-sensitive data, e.g. customer data. Absolutely a bad idea otherwise.
  • You could replace the first authentication process by a different protocol. For example, you could deactivate the process and require an SSH / VPN tunnel to access the machine. Then, all HTTP requests could be tunneled and they would just need to authenticate against the second process.

One final thing. I did not know this would not work:

curl --user "test:password" http://stan:uberflow@myserver.com

Both --user and the credentials in the URL use basic authentication, so they step on each other. It may depend on the implementation; in my environment --user has precedence.

[1]: I carefully avoided to say security protocol, as HTTP Basic Authentication is not "very" secure, and it offers poor protection over HTTPS.

Eric Platon
  • 9,819
  • 6
  • 41
  • 48