Suppress Basic challenge on z/OSMF API 401s for XHR clients (#119)#120
Merged
Merged
Conversation
httpd returned WWW-Authenticate: Basic on every 401, including XHR/fetch calls from the mvsMF SPA. Browsers respond to that header by popping their native credential dialog, whose cached Basic credentials then outlive the token session and survive token logout -- re-introducing browser-side Basic credentials and defeating the SPA's token model. Omit the challenge when the request carries the z/OSMF CSRF marker (X-CSRF-ZOSMF-HEADER): such clients are programmatic/XHR and handle the bare 401 themselves. Genuine Basic clients (curl -u, Zowe) send credentials preemptively; a plain browser navigation with no marker still receives it. Also mark /zosmf/info and /zosmf/services/authenticate AUTH=NONE (before the gated /zosmf/* catch-all) in the sample parmlib: the anonymous reachability probe and the token login/logout endpoint do their own auth. Fixes #119
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
httpd returned
WWW-Authenticate: Basic realm="MVS"on every 401, including XHR/fetchcalls from the mvsMF SPA. Browsers respond to that header by popping their native credential dialog, and the Basic credentials the browser then caches:DELETE /zosmf/services/authenticate), re-introducing browser-side Basic credentials and defeating the token model from Auth 6/6 (mvsMF SPA): token login; stop storing the password mvsmf#161.Change
src/httppc.c(auth_required_response): omit theWWW-Authenticateline when the request carries the z/OSMF CSRF markerX-CSRF-ZOSMF-HEADER. Such clients are programmatic/XHR and handle the bare 401 themselves. The rest of the 401 (status,Cache-Control: no-store, body) is unchanged.curl -u, Zowe) send credentials preemptively and never needed the challenge.AUTH=BASICarea keeps its intended popup).FORMroutes are untouched.The env lookup is caseless (
http_find_env→http_cmp), so the marker matches regardless of header casing.Sample parmlib
samplib/httpprm0: add two exactAUTH=NONEroutes before the gated/zosmf/*catch-all (first match wins):/zosmf/info— the SPA's anonymous reachability probe gets a clean 200./zosmf/services/authenticate— the token login/logout endpoint does its own auth; the gate must not challenge it.Design note
This does not mirror stock z/OSMF — verified empirically that real z/OSMF does send
WWW-Authenticate: Basicon its REST API 401s (and ignoresX-CSRF-ZOSMF-HEADER). This is a deliberate improvement for our token-based SPA, not a compatibility claim.The cleaner long-term model — separating credential source (accept Basic) from challenge presentation (advertise Basic) via a per-route API marker — is filed as a follow-up under the auth-redesign cleanup (#105).
Verification
src/httppc.cwithcc370 -Sclean (no warnings on the changed file); theHTTP_X-CSRF-ZOSMF-HEADERliteral confirmed present in the generated assembly.make compiledbregenerated (122 entries).To verify on the live MVS system
X-CSRF-ZOSMF-HEADERpresent, a/zosmf/*401 returns noWWW-Authenticate(bare 401); without it, the challenge is still sent.Fixes #119