using forms for basic auth

2007-08-04 @ 13:44#

i'm working on creating a simple mobile interface for my blog built on the exyus framework. i want to be able to log into the blog to post a simple entry (nothing fancy). but currently, i've only implement HTTPAuth (Basic) for the framework. i like the idea of using html forms, but am not interested in crafting a new auth pattern entirely. so my idea is to build into exyus the ability to accept a form POST of user/password and then write the standard HTTP Authentication header on the server. this will continue to support HTTPAuth, but allow forms to be used to initiate the process.

i've tested teh details out on the server and all works as expected. however, i need to finalize the entire workflow - in a REST-ful kinda way - for the login process. i'm thinking like this:

  1. GET /login/ returns simple form
  2. POST /login/ w/ user/pass processes the login

once the data is posted to the server, the following can occur:

  1. validate the inputs against the user store
  2. if login fails, return the same form w/ error msg [stop]
  3. if login succeeds, craft the Authentication header
  4. see if form POST passed a valid (local) return link
  5. if yes, send a 302 w/ the Location set to the return link [stop]
  6. if no, check for a valid (local) Referrer header
  7. if yes, send a 302 w/ Location set to the Referrer [stop]
  8. if no, send a 302 w/ Location set to the root of the web app [stop]

i think this covers the basics. i'll proly also allow the admin to set a default html page/template as the html form for the return on GET /login/. this is optional, but would be nice. it might also be nice to be able to config the app to default to the html form for login instead of the standard browser HTTPAuth dialog. not sure about that, tho. the browser dialog is kinda 'ugly' but much more secure (no user data is passed in a form). of course, since i only support Basic Auth anyway, security is not yet paramount. Once i support Digest Auth, it'll be a diff story, tho.