[Tutorial] PHP Basic Auth using configured users

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
Locked
cookies
First post
Posts: 1
Joined: Sat Dec 28, 2019 4:05 am

[Tutorial] PHP Basic Auth using configured users

Post by cookies »

I just wanted to share my findings to get basic auth working for a php script which I will use to access files on the NAS.

In your web folder (e.g. `/share/Web` on the NAS or https://IP-OF-YOUR-NAS/web) create a file called `.htaccess` and add the line

Code: Select all

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
In your php file use the following function to make use of basic auth using the NAS configured users:

Code: Select all

function require_auth() {
    if(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])){
        list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
    }

    header('Cache-Control: no-cache, must-revalidate, max-age=0');
    $is_not_authenticated = true;
    $has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));
    if ($has_supplied_credentials) {
        $result = false;

        $usr = $_SERVER['PHP_AUTH_USER'];
        $pwd = $_SERVER['PHP_AUTH_PW'];
        $handle = popen('/usr/local/apache/bin/pwauth', 'w');
	if($handle !== FALSE) {
            fwrite($handle, "$usr\n$pwd\n");
            $result = pclose($handle);
        }

	if($result === 0) {   // Login OK
            $is_not_authenticated = false;
        }
    }

    if ($is_not_authenticated) {
	header('HTTP/1.1 401 Authorization Required');
	header('WWW-Authenticate: Basic realm="Access denied"');
	exit;
    }
}
Keep in mind, that this only verifies if the username/pwd combination is valid. There is no restriction to which files can be accessed by your script. I don't know where to get the corresponding ACL configs for a given user, but maybe someone else can provide this info.

Also I don't know the limitations of this method of authentication, since I don't know how `/usr/local/apache/bin/pwauth` determines if the credentials are valid.

EDIT: A recent update caused pwauth to not work anymore with the apache user (httpdusr). E.g. a test via ssh and `sudo -H -u httpdusr /usr/local/apache/bin/pwauth` failed.
As mentioned in a debian bugreport (https://bugs.debian.org/cgi-bin/bugrepo ... bug=615027) it is now working again, if you set the SUID bit using `chmod 4755 /usr/local/apache/bin/pwauth`. Not sure if this was reset during an update.
Albercik
Starting out
Posts: 11
Joined: Fri Aug 27, 2021 1:46 am

Re: [Tutorial] PHP Basic Auth using configured users

Post by Albercik »

Hello and thank you very much for this tutorial! This is exactly what I was looking for!

I'm building a simple php interface that will allow to access my files in a simplier way than using built-in File Station. The above code works flawlessly, but... I can't find a way to log-out the user.

Can you please point me in the correct direction on how to achieve this?

Thank you in advance and best regards!
Tom

[EDIT]
After a while I've made some code that seems to be working.
1. In index.php I'm checking if the logout function has been called:

Code: Select all

if(isset($_GET['logout'])) {
    $qnapAuth->logout();
}
2. There's a link (quick and dirty for testing only):

Code: Select all

<a href="index.php?logout">Logout</a>
3. Finally - there's a method that invalidates the session and removes username and password from $_SERVER variable:

Code: Select all

public function logout() {
        unset($_SERVER['PHP_AUTH_USER']);
        unset($_SERVER['PHP_AUTH_PW']);
        header('HTTP/1.1 401 Authorization Required');
        header('WWW-Authenticate: Basic realm="Access denied"');
        exit;
}
[EDIT2]
Sadly, it turned out that the above code doesn't exactly work as it's supposed to do. After logging out - if i'll go to the index.php manually - the user is still logged in. It seems, that the username and password is being kept in $_SERVER variable even after unsetting it.
It seems that the only option is to add $_SESSION verification and invalidate session on logout.
I'll try to figure this out and will post if I'll find a solution.
Locked

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”