Bluish Coder

Programming Languages, Martials Arts and Computers. The Weblog of Chris Double.


Basic Authentication added to Factor web server

I've added a simple basic authentication mechanism to the Factor web server (called 'httpd'). Basic Authentication is built into all browsers so it makes for a simple authentication method.

It has one major downside and that is the password and username are sent from the browser to the client in clear text. You can work around this by using SSL for your web app.

Basic authentication uses usernames and passwords. These are defined to exist within a named realm. I'ved added a 'realms' symbol to httpd that holds a mapping (ie. a hashtable) from the realm name to the realm data.

The realm data can be a hashtable of usernames to passwords or a quotation with stack effect ( username password -- bool ). If it is a quotation it will be called to see if the user is valid in the given realm. If it is a hashtable the information is looked up directly. If it is anything else then the user is denied. An 'add-realm' word is provided to add (or replace) realm information:

H{ { "test1" "password1" } { "test2" "password2" } } "my-realm" add-realm
! or
[ "password" = swap "chris" = and ] "my-realm" add-realm

Realms can be set globally, per vhost or per responder in the same way as other httpd variables work.

The 'with-basic-authentication' word takes a realm name and a quotation. Before the quotation is run the http headers are checked to see if the user has been authenticated. If not a '401 Access Denied' reply is sent back to the browser with a request for basic authentication under the given realm.

The browser will then prompt the user for the username and password details and resend the request with the correct authorization headers.

If these headers exist then with-basic-authentication runs the quotation. So a simple responder is:

: my-responder ( -- )
 "my-realm" [
   "<html><body>Hello</body></html>" write
 ] with-basic-authentication ;

It can also be used with furnace, cont-responder, etc.

Another quick change I added was a 'responder-url' variable. This provides the responder portion of the URL requested. So for the default responder you'll get "/" and for other responders it will be "/responder/foo/". It always ends with a trailing slash.

This is needed for generating links and 301/307 location forwarding which require absolute url's. By using 'responder-url' you can make your responder not depend on the particular path it is installed under.

This in my repository and hopefully soon in the main factor respository. My repository is available with:

darcs get

Oh, and Happy New Year!


This site is accessable over tor as hidden service 6vp5u25g4izec5c37wv52skvecikld6kysvsivnl6sdg6q7wy25lixad.onion, or Freenet using key: