I am working on a app to feed contacts data to devices like SIP phones, so far everything is working pretty well.
But I am now trying to add a layer of security using basic auth. Yes, I know basic auth is very insecure, but I have no choice in this, as most SIP devices only support basic auth.
I want to use a custom authentication list/table for these request instead of the user’s credentials, as using the users credentials would stop the feed from functioning ever time the user changed their password.
The problem I have come across is that if I send a request to NC with a basic auth header, NC ends up processing the login, and does not fire my method unless I enter the NC users credentials.
So what are my options to get around this?
A. is there a way to disable the NC authentication process on certain paths?
B. Is there a way to create something like application credentials?
c. Is there any other solution?
So, I’ve already tried most of these, unfortunately.
Not sure if its security middleware, but this definitely something in NC. When I use a Basic Auth that dose NOT match a NC user, the request gets terminated even before the application.php and routes.php get processed. I have confirmed this with xdebug, unfortunately I have not stepped through the entire load process yet.
The method is defined as public.
I have tried creating a middleware class, unfortunately, this also does not get triggered, when I use a Basic Auth that dose NOT match a NC user.
I have looked at the code for most of the relevant apps for NC but it seems no one has tried this before. Yay me. Lol
I had a look at the guest app, yes it uses a custom user backend, BUT, the authentication is still handled through the standard WebUI, and basic auth seems to be handled at a even lower lever since it does not even trigger the application.php or the routes.php which are pretty much the bottom of the stack.
Maybe you can shot the dev guys a message and see what they think?
Haven looked at the guests backend code, you might be able to create also a backend for fake users just for handling the SIP requests. That is not nice IMHO but might work. Let’s see, what the others might bring for an idea…
Thank you, that would be fantastic. I did read through the load process this morning, looks like the auth headers are getting picked off in the main init routine in the server base.php.
And then the login check is performed in the same class,
And I agree, having to create a back end just for this would be a pain.