Topic on Project:Support desk

Visual Editor on a password protected site

3
Summary last edited by Ernstkm 11:14, 14 January 2024 10 months ago
Warning Warning: Using the method prescribed below will leave your wiki open to access from unauthenticated users, by merely setting the User-Agent on their request. It would be inadvisable to use this method on a wiki exposed to the public internet. See the discussion below.

Solved using the following:

SetEnvIfNoCase User-Agent VisualEditor-MediaWiki/* visualeditor
<Directory /var/www/>
    AuthUserFile /var/www/files/.htpasswd
    AuthName "Restricted Access"
    AuthType Basic
    Require local
    Require env visualeditor
    Require valid-user
</Directory>
Eddie K Smith (talkcontribs)

Hello, for the testing version of my site, I would like to have the site password protected (its under a sub-domain).

The way I was trying to do this was through .htaccess, now when I do that I get a 401 from Parsoid Visual Editor.

From the following: User:Andrujhon/Allow Parsoid Server I was assuming that to fix it all I needed to do was whitelist localhost. So I tried moving the authentication to my apache2 config with the following (https://stackoverflow.com/a/27209938/14435944):

<Directory /var/www/>
   AuthType Basic
   AuthName "Please enter your username and password"
   AuthUserFile /var/www/files/.htpasswd
   <RequireAny>
      Require ip 127.0.0.1
      Require ip ::1
      Require ip local
      Require valid-user
   </RequireAny>
</Directory>

But it is still blocking my parsoid (deleting the password protection makes parsoid/visual editor works correctly, to be clear).

Does anyone know what I'm doing wrong, or any better suggestion as to having a testing sub-domain password protected?

Thank you

Eddie

Eddie K Smith (talkcontribs)

Also tried the following:

<Directory /var/www/>
   <If "%{REMOTE_ADDR} != '127.0.0.1'">
       AuthType Basic
       AuthName "Development Environment"
       AuthUserFile /var/www/files/.htpasswd
       require valid-user
   </If>
</Directory>

Which looks very similar to User:Andrujhon's solution. Just that it is done in apache conf instead of LocalSettings.php.

Ernstkm (talkcontribs)

I can confirm that SetEnvIfNoCase User-Agent VisualEditor-MediaWiki/* visualeditor "resolves" the problem, in the sense that Visual Editor works again for an Apache-hosted wiki using AuthType Basic. However, it also allows anyone to access to your wiki if they merely set User-Agent: VisualEditor-MediaWiki/something on their request.

To demonstrate this:

curl -ILH 'User-Agent: VisualEditor-MediaWiki/foo' https://url.for.your/wiki

This effectively defeats your site's password protection, so it's inadvisable to do this for a wiki where any kind of access from untrusted users is possible, and especially for a wiki on the public InterWebs.

I wish I had better news, but I don't, yet. I'm confronted with two equally unpalatable options: not use VisualEditor, or switch to a private wiki instead of HTTP auth, leaving more parts of MediaWiki exposed to the public internet. --Ernstkm (talk) 11:06, 14 January 2024 (UTC)

Reply to "Visual Editor on a password protected site"