From e39c287569a20fc070b6ccdf52d339a7da1e11cf Mon Sep 17 00:00:00 2001 From: defanor Date: Sun, 31 Mar 2019 05:45:39 +0300 Subject: Handle `auth=fail` Ignore credentials provided by a user, serve documents with status code 401. --- Main.hsc | 5 +++-- README.md | 5 +++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Main.hsc b/Main.hsc index 53a9a2f..f75d69e 100644 --- a/Main.hsc +++ b/Main.hsc @@ -322,9 +322,10 @@ main = do to <- maybe 10 read <$> lookupEnv "TIMEOUT" maybe (respond 504 "") pure =<< timeout (to * 10 ^ (6 :: Int)) (case (lookup "auth" ps, baCredentials =<< BS.pack <$> ha) of + (Just "on", Nothing) -> respond 401 "" + (Just "try", Nothing) -> serve True xsltDir (connectdb "") ps + (Just "fail", _) -> serve True xsltDir (connectdb "") ps (_, Just (l, p)) -> serve False xsltDir (connectdb (connString [("user", l), ("password", p)])) ps - (Just "on", Nothing) -> respond 401 "" - (Just "try", Nothing) -> serve True xsltDir (connectdb "") ps _ -> serve False xsltDir (connectdb "") ps) diff --git a/README.md b/README.md index f5343e9..5b712c2 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,11 @@ a database connection failure was password-related. With `auth=try` pgxhtml would serve pages composed using defaults if no credentials are provided, but with 401 status code. +`auth=fail` would ignore user-provided credentials and serve pages +with 401 status code. It can be used to circumvent poor authentication +handling by some web browsers. + + ### Web server This is intended to be used with an HTTP server, which would take care -- cgit v1.2.3