[pmwiki-devel] Advice on coexisting with AuthUser?

Patrick R. Michaud pmichaud at pobox.com
Sat Jul 26 02:15:18 CDT 2008


On Fri, Jul 18, 2008 at 03:45:03PM +1200, John Rankin wrote:
> Beta 67 continues to enhance pmwiki's username/password capabilities. 
> I am trying to understand what to do so that a pmwiki site under the 
> control of AuthUser can respond correctly to legitimate requests from 
> an external site. I asked on the users list but didn't get a response, 
> so I'll try again here.

Sorry about that.  I've had very limited internet connectivity for
the past couple of weeks (finally resolved that today, I think).

> Specifically, I'd like to understand what the PublishPDF library has
> to do if a site has AuthUser enabled, so that the external PDF server
> can request content from the wiki and get a response, instead of a
> prompt for a username and password. When a user requests a PDF, this 
> causes the PDF server to issue an http request for the page content, 
> so we have to authenticate the PDF server as an authorised reader,
> with the same rights as the person initiating the request.
>
> The user is already authenticated, so somehow that authentication
> information needs to be supplied to the wiki, so it doesn't ask the
> PDF server to log in. The PDF server doesn't know any user names or
> passwords. Is there a session token I can pass from the user to the 
> PDF server, that it can pass on as part of a page request and so
> inherit the user's read access rights?

Here's my initial analysis--feel free to point out any errors:

I think there's not an easy way to get the session token for an
already-authenticated user, because (1) session tokens are tied 
to cookies, (2) cookies are tied to specific domains, and (3) 
the PDF server is at a different domain, so won't get the cookie 
from the browser.

The most robust solution would be for the PDF server to 
ask the user for username and password and then pass those
along in its http request to the wiki.  It could do this at
the outset, or only when a request results in an authentication
request from the wiki.

Another slightly trickier solution would be for the wiki
to generate links and/or forms that are submitted to the
PDF server that contain the needed session token information.
In this case one would not be able to grab protected pages 
from the PDF server directly, but only via links or forms
generated from the wiki.

Let me know if either of the above make sense and I can
point out the PHP details needed to make it work.

Pm



More information about the pmwiki-devel mailing list