Re: [hackers] [quark] Thoughts on CGI and authentication?

From: Nick <suckless-hackers_AT_njw.name>
Date: Fri, 23 Oct 2020 06:27:08 +0100

Quoth José Miguel Sánchez García:
> Thanks for suggesting basic! I wasn't sure about it, as it's pretty
> insecure nowadays. But I acknowledge that, for quark's use cases, it
> is perfectly reasonable.

I don't think it's insecure presuming the HTTP is being served
behind some TLS connection. And if you're doing authentication you
want that anyway. I haven't particularly thought it through, though,
maybe there's something dangerous about it. I mean, lack of browser
support for a straightforward "log out" function sucks, but hey,
it's the web, of course it's broken.

The filesystem based thing sounds odd to me, personally - I think
it's common for websites to have a quite different set of users to
those that exist on the server operating system. But I think setting
it in config.h is also a bad idea, as one of the nice design things
about quark is the ability to run it straight from the command line,
and needing to recompile to redo authentication would detract from
that. Maybe a simple authentication file with
username<space>password one per line, which is passed to a flag,
would be good? If you want a system with different files accessible
to different users, though, then reusing filesystem permissions is
the only non-intrusive way I can imagine.

Just some early morning thoughts. I look forward to Anselm replying
and saying that authentication is out of scope for quark, keeping us
all honest ;)

Nick
Received on Fri Oct 23 2020 - 07:27:08 CEST

This archive was generated by hypermail 2.3.0 : Fri Oct 23 2020 - 08:12:33 CEST