On 23. 5. 25 17:05, Daniel Sahlberg wrote:
Den fre 23 maj 2025 kl 00:35 skrev Peter Balogh<pe...@svnplus.com>:
Hi,
So basically the patch becomes this
I can't say I like the actual branch condition, but I'm open to
suggestions :)
Hi,
I have not studied the patches in detail but I'm not so sure if I like the
idea of Serf special-casing / hardcoding a custom response reason. I feel
it would be better to offloading this to Subversion since we control both
ends there.
I agree. Serf is a general-purpose HTTP client, what we're talking about
here is application-level behaviour. Serf already offloads
authentication to the application, I also can't see a reason why this
would be special-cased in Serf.
Also, RFC7235 [1] require a 401 response to send a WWW-Authenticate header
- I don't know if it would be possible to use this to send the challenge.
I have to read up on WWW-Authenticate. ISTR that aside from telling the
client /how/ to authenticate, it's there also support complex
authentication processes.
The response could then be added as a header field. Would it be possible
for the server to return a bearer token (= more or less the same as a
Set-Cookie) that we could store client-side to include on future requests?
I'm surprised that multi-step challenge/response mechanism isn't already
standardised in HTTP. True, all the multi-factor schemes I've used to
date are for authentication flow in browsers, where the server presents
a user interface. For headless cases, things like API tokens tend to be
generated in advance through an out of band channel (again, usually
through a UI in a browser). App tokens are, again, not multi-factor
authentication.
Maybe we will have to invent an HTTP workflow for this, but let's not go
it alone. This is, after all, the ASF and there are a few people around
that are ... quite knowledgeable about HTTP. I suggest we consult. Worst
case, there may be an IETF RFC waiting to be written.
-- Brane
P.S.: I say "worst case" because it should've been written long ago
instead of people using status 499 and stuff like that.
