Re: [libmicrohttpd] Out of band authentication with libmicrohttpd

[Evgeny Grin]

At the bottom of official GNU libmicrohttpd page you will find
(incomplete) list of alternatives:
https://www.gnu.org/software/libmicrohttpd/

Not sure that any of them implemented such functionality for reasons
that I already described.

-- 
Best Wishes,
Evgeny Grin

On 01.12.2016 21:28, Daniel Tweed, Mr wrote:
> I'm sorry if it's rude to ask, but have you ever seen a library which
> implements the functions required for this status code?  I chose
> libmicrohttpd almost solely based on the fact that I thought this
> function would be available, given the defines, whereas the others I had
> looked at (libhttpd, lievhtp libonion, etc) did not define the code at all.
> 
> 
> Best,
> 
> Daniel
> 
> ------------------------------------------------------------------------
> *From:* libmicrohttpd
> <address@hidden> on behalf of
> Christian Grothoff <address@hidden>
> *Sent:* Thursday, December 1, 2016 1:03:11 PM
> *To:* address@hidden
> *Subject:* Re: [libmicrohttpd] Out of band authentication with
> libmicrohttpd
>  
> Dear Daniel,
> 
> We just defined the status code (for completeness of the #defines), but
> never implemented its semantics.  So you cannot actually use it with MHD.
> 
> Happy hacking
> 
> Christian
> 
> On 12/01/2016 03:28 PM, Daniel Tweed, Mr wrote:
>> Dear Evgeny,
>> 
>> My primary question is around the fact that libmicrohttpd implements the
>> http 102 code as MHD_HTTP_PROCESSING.  The only meaningful use of this
>> code is to transmit it to the client and then send a follow up response
>> when the processing is complete.  There is no other defined behaviour
>> for this code.  So, what I'm trying to deduce is: Does libmicrohttpd
>> actually implement this functionality?  If so, how would one go about
>> doing this?  If not, why is the code implemented?  Should it be removed
>> from the library?
>> 
>> Thanks again for all your comments.  I'm sorry if I wasn't clear before
>> but I am not working from obsoleted specifications, in RFC 4918 it
>> mentions that the for HTTP 102 continue to refer to RFC 2518, not that
>> the code is no longer supported.  The RFC was obsoleted, not the the
>> code.  It is still registered with IANA and is still supported with all
>> major browsers.  I appreciate your attempts to educate me, but http1.1
>> supports what I am trying to do, I'm just trying to figure out if
>> libmicrohttpd does, as the definition of the status code would seem to
>> imply.
>> 
>> Regards,
>> Daniel
>> 
>> ------------------------------------------------------------------------
>> *From:* libmicrohttpd
>> <address@hidden> on behalf of
>> Evgeny Grin <address@hidden>
>> *Sent:* Thursday, December 1, 2016 9:18:17 AM
>> *To:* address@hidden
>> *Subject:* Re: [libmicrohttpd] Out of band authentication with
>> libmicrohttpd
>>  
>> To make it clear: MHD follow HTTP specifications and do not allow to use
>> two responses for single request.
>> 
>> -- 
>> Best Wishes,
>> Evgeny Grin
>> 
>> On 01.12.2016 17:07, Evgeny Grin wrote:
>>> On 01.12.2016 16:30, Daniel Tweed, Mr wrote:
>>>> On 01.12.2016 3:04, Daniel Tweed, Mr wrote:
>>>>>> I'm really new to libmicrohttpd and the examples/tutorial have been
>>>>>> really helpful, but I can't figure out how to implement one specific
>>>>>> thing I need.
>>>>>>
>>>>>> What I am trying to achieved is:
>>>>>>
>>>>>>  1.
>>>>>>     Send http 102 to client who requested anydoc.html which requires
>>>>>>     authentication
>>>>> HTTP standards doesn't define response code 102.
>>>>> See https://tools.ietf.org/html/rfc7231#section-6
>>>>> and https://tools.ietf.org/html/rfc2616#section-6.1.1
>>>>
>>>> It was defined in RFC 2518, which was updated/obsoleted by RFC 4918 for
>>>> WebDAV.  Granted they removed http 102 from the specification (due to a
>>>> lack of implementation) and advise that its IANA registration should
>>>> continue to refer to RDF2518.
>>>> At a minimum, Firefox and IE respond correctly to this status code, and
>>>> it is implemented in libmicrohttpd as MHD_HTTP_PROCESSING
>>> 
>>> I highly recommend you not to use obsoleted specifications - support in
>>> existing application can be dropped in any moment and new application
>>> most probably will not work with this code.
>>> So you will need to re-do your work one more time when clients
>>> unexpectedly start to refuse your server responses.
>>> 
>>>>>>  2.
>>>>>>     Some processing on the serverside, including out of band
>>>> authentication
>>>>>>
>>>>>>  3.
>>>>>>     If authenticated, send response built from somedoc.html, otherwise
>>>>>>     generic not auth message
>>>>
>>>>> HTTP use request-response logic. If you already responded (your code
>>>>> 102) to some request then you can't add another response later.
>>>>
>>>> The purpose of the http102 message is so the client will not timeout
>>>> when waiting for a response if the request will take a long time.  Using
>>>> the MHD_HTTP_PROCESSING code requires some mechanism to first send a
>>>> response with this code and then send a final response.  I just figure
>>>> out how or if this functionality has ever been implemented in the library.
>>> 
>>> These is not grantee that client will wait more after 102.
>>> Moreover, chances of successful response even lower, if you take into
>>> account obsoleted nature of this status.
>>> 
>>>>>> I'm having a failure of understanding somewhere, in that I cannot seem
>>>>>> to figure out how to send the 102 and save the connection details so
>>>>>> that I can forward the response in step 3.   I had thought I could queue
>>>>>> a response then either enter a wait loop or suspend the connection, but
>>>>>> as far as I can tell I have to return from the
>>>>>> |MHD_AcceptPolicyCallback| for the response to be sent.   Then I cannot
>>>>>> figure out how to get back to the connection as I cannot suspend it and
>>>>>> save the pointer. I have looked at the request completed call back but
>>>>>> this still results in the 102 not being sent.
>>>>>>
>>>>>> I really can't figure out a process to achieve these steps from the
>>>>>> examples or the manual.  I'm sure I'm either missing something about
>>>>>> http processing or about libmicrohttpd any help or advice would be
>>>>>> appreciated.  I'm happy to share anything that would make my question
>>>>>> clearer, including more details on the overall application or specific
>>>>>> code I am working with.
>>>>
>>>>> MHD_AcceptPolicyCallback could be used to choose whether to process
>>>>> connection or does not process connection at all.
>>>>
>>>>> You should ether call MHD_queue_response() from your callback
>>>>> MHD_AccessHandlerCallback specified in MHD_start_daemon() parameter or,
>>>>> if your application need some time to generate response - call
>>>>> MHD_suspend_connection(). When application is ready to generate response
>>>>> - call MHD_resume_connection(), then MHD will call again your
>>>>> MHD_AccessHandlerCallback where you can call MHD_queue_response() to
>>>>> provide response to client.
>>>>
>>>>> If you need some kind of authorization, you can use MHD built-in 
>>>>> functions.
>>>>> See examples:
>>>>> src/examples/authorization_example.c
>>>>> src/examples/digest_auth_example.c
>>>>> and
>>>>> doc/examples/tlsauthentication.c
>>>>
>>>> Thanks, I took a look at these but I'm specifically looking at
>>>> out-of-and authentication.  Since posting this, I found a discussion on
>>>> a similar topic on the IRC logs to use either keep-alive or
>>>> MHD_create_response_from_callback ().  My concern is that I cannot know
>>>> how long the out-of-band authentication will take and I need to advise
>>>> the client not to time out.  I need the http 102 message for other
>>>> reasons, but I could work around them, but it seems that this function
>>>> is implementable somehow, given that the code is defined, so I'm really
>>>> hoping not to have to rework my other applications around it.
>>> 
>>> You can use MHD_create_response_from_callback() with MHD_SIZE_UNKNOWN
>>> and generate response by chunks. This will prevent clients from
>>> detecting of timeout.
>>> 
>> 
>