The HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access control to web resources, as it doesn’t require cookies, session identifiers, or login pages. But rather uses static, standard HTTP headers, which means that no extra handshakes are necessary for the connection.
The BA mechanism provides no protection for the transmitted credentials. They are merely encoded with Base64, but not encrypted or hashed in any way. For that reason, Basic Authentication is typically used over HTTPS.
GNU Artanis doesn’t support HTTPS at present. There are plans to support it in the future.
Let’s see a simple example:
(define (my-checker rc user passwd) (and (string=? user "jack") (string=? passwd "123"))) (post "/bauth" #:auth `(basic ,my-checker) (lambda (rc) (if (:auth rc) "auth ok" (throw-auth-needed))))
Another simple way to provide authentication is to compare the passsword stored in a database table:
(post "/bauth" #:auth `(basic Person username passwd) (lambda (rc) ... ))
NOTE: Assuming username and passwd are columns of the Person table.
You have to define your own checker with the anonymous function (lambda (rc u p) ...)
. #t to show success, and #f to fail.
APIs:
(:auth rc)
will check if Basic Authentication succeeded, #f if not.
(throw-auth-needed)
is a useful helper function to ask for auth in client side.