Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP API allows creating users with an email address containing a colon (:), frontend doesn't, furthermore such an account doesn't work with HTTP Basic auth. #1245

Closed
brontolosone opened this issue Oct 26, 2024 · 0 comments · Fixed by #1246
Closed

HTTP API allows creating users with an email address containing a colon (:), frontend doesn't, furthermore such an account doesn't work with HTTP Basic auth. #1245

brontolosone opened this issue Oct 26, 2024 · 0 comments · Fixed by #1246
Assignees
@brontolosone
Labels
documentation API docs, readme, developer docs

Comments

@brontolosone
Copy link
Contributor

A minor issue, but an issue all the same.

The Central HTTP API allows creating users with an email address containing a colon (:), see for instance this user I've created. But then you can't use that account for the API's HTTP Basic auth!

The frontend doesn't allow creating such a user. Wikipedia leads me to think that that's erroneous — a : in the local-part of an email address is not invalid, even though all kinds of deliverability problems may arise from using such an email address (the local part needs to be quoted, for one). Nevertheless, I could get email delivered to me, which is what I needed for a password reset, which is what I needed to try out HTTP Basic auth, which then doesn't work.

The minor problems in a nutshell:

  1. there's a discrepancy between API and frontend.
  2. you can't use an account you've created with an email address with a colon (:) in it when authenticating with HTTP Basic auth, because the colon is the internal field separator (the authorization header value is base64(utf8-encode(emailaddress:password)); thus upon unpacking that there will be ambiguity. As such Central responds with a 401 Unauthorized with body {"message":"Could not authenticate with the provided credentials.","code":401.2} when you try to do this anyway.

My point is not so much that we should accommodate for such email addresses. But I do feel there's a slight issue because we're promising things that we can't follow through on, and I think that's by accident rather than deliberate.
Where to go from here then? Two ways forward:

  • A. given that we document and support (though discourage) HTTP Basic Auth, we simply shouldn't allow creation of accounts with email addresses with a : in them. Effecting that would also remove a discrepancy between frontend and backend validation, which is tidy ✨ .

  • B. Simply document in the API documentation for HTTP Basic auth that sorry, if you managed to create an account with a colon in its email address, you can't use it for this auth scheme.

B) would certainly be the cheapest solution ;-)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brontolosone brontolosone

Labels
documentation API docs, readme, developer docs
Projects
ODK Central
Status: ✅ done
Milestone
No milestone
2 participants
@matthew-white @brontolosone