Hello,
I have to implement some sort of authentication in my web server implementation.
My idea is to begin with Basic Authentication (RFC2617) and then proceed with JWT (Bearer Authentication with JSON web tokens, RFC7519), this because in my understanding Basic authentication requires a subset of changes of the ones required for JWT so I can check if the code is ok.
About Basic Authentication, I suppose that I have to do the following:
- when I get a HTTP request, I have to check in the headers if the "Authorization: Basic xxxxx" is present: if not, I have to send a HTTP 401 with "WWW-Authenticate: Basic realm..."
- if the "authorization: Basic header" is present, and the credentials are correct, I have to reply with a Http 200 and the rest of the page
- wrong user/pass: HTTP 403
What functions of httpd.c do I have to modify?
I suppose:
1) http_parse_request, in order to check if "authorization" header is there, and correct, and save this somewhere (in the struct http_ssi_state?)
2) http_find_file(): the fs_open() call must be done only if user and passwords are ok
Is that all?
Another question: is LWIP_HTTPD_FILE_STATE needed for Basic Authentication? And for Bearer Authentication? I think not.
Thanks in advance for your help! :-)
Cheers
Marco