I am using tuupola with slim framework to secure android connection but I always get this error although I followed the steps that I found in this site : https://github.com/tuupola/slim-basic-auth

I am testing the SLIM structure for my new API REST project.

I installed SLIM on my Apache CGI server online with SSL certificate: ok, it works! I can access my resource from my computer (http://domaine.fr/v1/test for example)

I tested with basic authentication through the htaccess file. I type user / password to access my resource: it works!

Now, "I would like to test with basic authentication in SLIM with https://github.com/tuupola/slim-basic-auth

But it does not work! It always asks me for the login and password!

Copy pasted your example into index.php with users, t00r and I get this error:

Fatal error: Uncaught exception 'RuntimeException' with message 'Insecure use of middleware over HTTP denied by configuration.' in /home/httpd/testapi/vendor/tuupola/slim-basic-auth/src/HttpBasicAuthentication.php:92
Stack trace:
#0 /home/httpd/testapi/vendor/slim/slim/Slim/Slim.php(1302): Slim\Middleware\HttpBasicAuthentication->call()
#1 /home/httpd/testapi/public/index.php(96): Slim\Slim->run()
#2 {main}
  thrown in /home/httpd/testapi/vendor/tuupola/slim-basic-auth/src/HttpBasicAuthentication.php on line 92

Any idea?

Hello, I can't connect to my app on remote server. It works on local but not on remote server :

$application->add(new HttpBasicAuthentication([
    'realm' => 'Piso',
    'secure' => true,
    'relaxed' => ['localhost'],
    'users' => [
        'root' => '$2y$10$TJor1LmWl5Vi9Ljrqp5Fr.S5TdIUbleIei9.Ndo0gT1IO0/ELwKyK',
        'test' => 'azerty'
    ]
]));

I use "tuupola/slim-basic-auth": "^3.0" .

Thank you

I want to setup authentication on multiple paths for my API. In most cases I'll need authentication but in others I definitely don't want authentication (i.e. registration). I know I can create separate instances of \Slim\Middleware\HttpBasicAuthentication but is there a way to create a single instance that includes multiple paths?

I ran into "Insecure use of middleware over HTTP denied by configuration." when I deployed and found this discussion of the issue in #12

I have worked around the problem by setting "secure" => "false".

However, I think that a better solution would be to allow HttpBasicAuthentication to be configured to permit forwarded https requests.

The use case is where a load balancer or cdn is terminating https requests which are then forwarded over http to slim.

An example implementation can be found here: https://github.com/oscarotero/psr7-middlewares/blob/master/src/Middleware/Https.php#L110

By implementing, testing and documenting this configuration capability, slim-basic-auth would help the end user to securely and quickly set up basic authentication in what I assume is a common deployment scenario.

this code works in my development environment:

$app->add(new \Slim\Middleware\HttpBasicAuthentication(
  [
    "path" => "/admin",
    "secure" => false,
    "users" => [
      "admin" => "admin"
    ]
  ]
));

But on my production server is keeps asking over and over for the password (the error message is that authentication failed.

However, changing the path to "path" => "admin" fixed the issue immediately (and on page reload I didnt have to login again)

Just a heads up for any others running into this

Hi i just found some errors in your code and debugged it

`namespace Slim\Middleware\HttpBasicAuthentication;

class ArrayAuthenticator implements AuthenticatorInterface {

public $options;

public function __construct($options = null)
{

    /* Default options. */
    $this->options = [
        "users" => []
    ];
		
    if ($options) {
        $this->options = array_merge($this->options, (array)$options);
    }
		
}

public function __invoke(array $arguments)
{
    $user = $arguments["user"];
    $password = $arguments["password"];

    /* Unknown user. */
    if (!isset($this->options["users"]["user"])) {
        return false;
    }

    if (self::isHash($this->options["users"]["password"])) {
        /* Hashed password. */
        return password_verify($password, $this->options["users"]["password"]);
    } else {
        /* Cleartext password. */
        return $this->options["users"]["password"] === $password && $this->options["users"]["user"] === $user;
    }
}

public static function isHash($password)
{
    return preg_match('/^\$(2|2a|2y)\$\d{2}\$.*/', $password) && (strlen($password) >= 60);
}

}`

Im having a strange error.

On my localhost (windows10 with xampp) all my slim api is working fine, but when i put it on my server (ubuntu) i've got the error: PHP Fatal error: Uncaught Error: Class 'Slim\Middleware\HttpBasicAuthentication' not found /var/www/html ...

Some useful notes: My composer.php { "require": { "slim/slim": "^3.9", "tuupola/slim-basic-auth": "^3.0", "slim/middleware": "*", "firebase/php-jwt": "^5.0", "tuupola/slim-jwt-auth": "^3.0", "tuupola/base62": "^0.10.0", "tuupola/cors-middleware": "^0.7.0" } }

My bootstrap.php $app->add(new \Tuupola\Middleware\HttpBasicAuthentication([

"users" => [
    "root" => "toor"
],
"path" => ["/"],
/**
 * Whitelist - Protege todas as rotas e só libera as de dentro do array
 */
"passthrough" => ["/auth"]

]));

Can you please give some tips? Thank you

Hi,

There is a way to add an attribute/header in the request in callback (or authenticator) method ?

Currently I did that in two steps:

1. In authenticator when credentials are correct I set my attribute in session
2. In a second middleware I check if the attribute exist in session and I set it to the request

So I would be nice if it's possible to update the request in this middleware.

Thanks for your help ;)

there's a passthrough variable in RequestPathRule.php, but no way of set it up from configuration parameter.

edit: should have been about RequestPathRule instead of RequestMethodRule

Hi,

Getting this error message over an HTTPS connection for a server hosted on Heroku:

Insecure use of middleware over HTTP denied by configuration. File: /app/vendor/tuupola/slim-basic-auth/src/HttpBasicAuthentication.php Line: 148

FYI, in local development (over HTTPS, with a self-encrypted certificate), I get these key/pairs in $_SERVER:

[HTTPS] => on
[SERVER_PORT] => 443

Whereas on Heroku there's no such line, but, instead:

[HTTP_X_FORWARDED_PORT] => 443
[HTTP_X_FORWARDED_PROTO] => https

This is typical for hosting behind a proxy or load balance. See X-Forwarded-Proto.

Here's the workaround I'm using:

if (
    isset($_SERVER['HTTP_X_FORWARDED_PROTO'])
    && isset($_SERVER['HTTP_X_FORWARDED_PORT'])
) {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = $_SERVER['HTTP_X_FORWARDED_PORT'];
        // Typically, `443`.
}

I guess tuupola/slim-basic-auth could check for these values as well when trying to determine if a connection is secure.

Hi,

the following configuration:

$app->add(new Tuupola\Middleware\HttpBasicAuthentication([
    "path" => ["/"],
    "ignore" => ["/api/unauthorized"],
    // ...
]));

does not work as expected, the requests to mydomain.com/api.php/api/unauthorized/... are still protected (as all those to mydomain.com/api.php/api/...). While, if I change that to something like:

$app->add(new Tuupola\Middleware\HttpBasicAuthentication([
    "path" => ["/api"],
    "ignore" => ["/api/unauthorized"],
    // ...
]));

all my requests containing mydomain.com/api.php/api/... are not protected.

What am I doing wrong? Is that a know issue (e.g. https://github.com/tuupola/slim-jwt-auth/issues/140)?

Thanks

Add request object back as parameter to the error handler.

$app->add(new Tuupola\Middleware\HttpBasicAuthentication([
    "error" => function ($request, $response, $arguments) {
      ...
    }
]));

See https://github.com/tuupola/branca-middleware/pull/13 for reference.

If a site is proxied through ClaudFlare using the "Flexible" mode (Encrypts traffic between the browser and Cloudflare), we will always get the error: "Insecure use of middleware over HTTP denied by configuration.".

That's because you incorrectly define the use of the HTTPS protocol in the following lines: https://github.com/tuupola/slim-basic-auth/blob/3.2.1/src/HttpBasicAuthentication.php#L107-L111

When using proxying through cloud providers (CloudFlare), you should use the following code: https://gist.github.com/saippuakauppias/f1082a32f5797755b69b043d4852eda2

I tried to inherit your class and fix it to get around this limitation, but your class is declared as "final". Why is that done?

PS: It is not possible to use the "Full" proxy mode in a CloudFlare, then you will need to set the slide certificate to nginx for each domain. This is a lot of manual work, which is difficult to automate (certificates are issued in the dashboard, most likely they can be issued through the API, but it's not such a task to spend a lot of time on integration with it).