Feature Request: Remove rest from the default list of AuthScripts

Motivation

Equal ajax browsing rights for guests!

Description and Documentation

By default rest is part of the list of scripts that require a valid user. {AuthScripts} is an EXPERT setting in configure and if ApacheLogin is being used, then it needs to be changed there as well. Not very intuative especially as the registerRESTHandler now has the authenticate option for a finer control.

Examples

Impact

A friendlier experience for browsing guests by default.

Implementation

-- Contributors: DavidPatterson - 12 Aug 2010

Discussion

I believe this is already fixed in 1.1. See registerRESTHandler at http://trunk.foswiki.org/System/PerlDoc?module=Foswiki::Func:

Additional options are set in the %options hash. These options are important to ensuring that requests to your handler can't be used in cross-scripting attacks, or used for phishing.

• authenticate - use this boolean option to require authentication for the handler. If this is set, then an authenticated session must be in place or the REST call will be rejected with a 401 (Unauthorized) status code. By default, rest handlers do not require authentication.

-- AndrewJones - 12 Aug 2010

It's also in 1.0.9. See http://foswiki.org/System/PerlDoc?module=Foswiki::Func#registerRESTHandler_alias_fn_opt

-- CrawfordCurrie - 12 Aug 2010

Ok, but I'm not seeing this behaviour in practice.

-- DavidPatterson - 12 Aug 2010

Doh! rest is in the list of {AuthScripts} as default. This trips the rest request before the handler can even be checked for its preference.

I'm updating this feature request accordingly.

-- DavidPatterson - 12 Aug 2010

And don't forget foswiki_httpd_conf.txt, for those using Apache for autentication.

Current entry:

#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
#    require valid-user
#</FilesMatch>

-- AndreLichtsteiner - 12 Aug 2010

the root trouble is that rest needs to be secure by default - as in, any plugin that adds a resthandler should require auth unless it specifies that its safe for guest use in the registerHandler.

mostly because its trivial to write a quick and dirty resthandler that not only disobeys permissions, but also avoids the CSRF and other protections that users have the right to expect.

iirc someone already did the work to make this true without the brutish apache.conf and {AuthScripts}, I bring it up to make sure that the implementor knows they need to test for it.

-- SvenDowideit - 12 Aug 2010

I never did commit the work that would make validation, authentication and only HTTP_POST allowed methods the default in registerRESTHandler(). I wasn't ready at feature freeze.

Probably, instead of {AuthScripts}, it should be {AllowUnauthScripts} or similar.

Anyway, this feature proposal can't go ahead unless we also change registerRESTHandler() defaultsto be secure by default, and move the onus of un-security onto the person calling it explicitly specifying authenticate => 0

-- PaulHarvey - 13 Aug 2010

an added help would be an addendum to InstalledPlugins (ok, so it probably desreves to live in configure)) that lists all installed handlers and restHandlers, and their permissions etc - that way an admin (and attacker) has the possibility to see what insecurities have been installed.

-- SvenDowideit - 13 Aug 2010

{AllowUnauthScripts} presses all the right buttons for me.

-- CrawfordCurrie - 13 Aug 2010