bool RequestAuth(TSession * const sessionP, const char * const credential, const char * const user, const char * const pass) { /*---------------------------------------------------------------------------- Authenticate requester, in a very simplistic fashion. If the request executing on session *sessionP specifies basic authentication (via Authorization header) with username 'user', password 'pass', then return TRUE. Else, return FALSE and set up an authorization failure response (HTTP response status 401) that says user must supply an identity in the 'credential' domain. When we return TRUE, we also set the username in the request info for the session to 'user' so that a future SessionGetRequestInfo can get it. -----------------------------------------------------------------------------*/ bool authorized; char * authHdrPtr; authHdrPtr = RequestHeaderValue(sessionP, "authorization"); if (authHdrPtr) { const char * authType; NextToken((const char **)&authHdrPtr); GetTokenConst(&authHdrPtr, &authType); authType = GetToken(&authHdrPtr); if (authType) { if (xmlrpc_strcaseeq(authType, "basic")) { const char * userPass; char userPassEncoded[80]; NextToken((const char **)&authHdrPtr); xmlrpc_asprintf(&userPass, "%s:%s", user, pass); xmlrpc_base64Encode(userPass, userPassEncoded); xmlrpc_strfree(userPass); if (xmlrpc_streq(authHdrPtr, userPassEncoded)) { sessionP->requestInfo.user = strdup(user); authorized = TRUE; } else authorized = FALSE; } else authorized = FALSE; } else authorized = FALSE; } else authorized = FALSE; if (!authorized) { const char * hdrValue; xmlrpc_asprintf(&hdrValue, "Basic realm=\"%s\"", credential); ResponseAddField(sessionP, "WWW-Authenticate", hdrValue); xmlrpc_strfree(hdrValue); ResponseStatus(sessionP, 401); } return authorized; }
abyss_bool RequestAuth(TSession * const sessionP, const char * const credential, const char * const user, const char * const pass) { /*---------------------------------------------------------------------------- Authenticate requester, in a very simplistic fashion. If the request executing on session *sessionP specifies basic authentication (via Authorization header) with username 'user', password 'pass', then return true. Else, return false and set up an authorization failure response (HTTP response status 401) that says user must supply an identity in the 'credential' domain. When we return true, we also set the username in the request info for the session to 'user' so that a future SessionGetRequestInfo can get it. -----------------------------------------------------------------------------*/ bool authorized; const char * authValue; authValue = RequestHeaderValue(sessionP, "authorization"); if (authValue) { char * const valueBuffer = malloc(strlen(authValue)); /* A buffer we can mangle as we parse the authorization: value */ if (!authValue) /* Should return error, but we have no way to do that */ authorized = false; else { const char * authType; char * authHdrPtr; strcpy(valueBuffer, authValue); authHdrPtr = &valueBuffer[0]; NextToken((const char **)&authHdrPtr); GetTokenConst(&authHdrPtr, &authType); if (authType) { if (xmlrpc_strcaseeq(authType, "basic")) { const char * userPass; char userPassEncoded[80]; NextToken((const char **)&authHdrPtr); xmlrpc_asprintf(&userPass, "%s:%s", user, pass); xmlrpc_base64Encode(userPass, userPassEncoded); xmlrpc_strfree(userPass); if (xmlrpc_streq(authHdrPtr, userPassEncoded)) { sessionP->requestInfo.user = xmlrpc_strdupsol(user); authorized = true; } else authorized = false; } else authorized = false; } else authorized = false; free(valueBuffer); } } else authorized = false; if (!authorized) { const char * hdrValue; xmlrpc_asprintf(&hdrValue, "Basic realm=\"%s\"", credential); ResponseAddField(sessionP, "WWW-Authenticate", hdrValue); xmlrpc_strfree(hdrValue); ResponseStatus(sessionP, 401); } return authorized; }