User Authentication

[nritsche]

bondia is using panel, which wraps a bokeh server. I'm hoping for @ketiltrout's advice on how to add authentication of wiki (bao) users.

https://docs.bokeh.org/en/latest/docs/user_guide/server.html#authentication

[ketiltrout]

I thought we had some Python code for this already but it looks like all we have is either Ruby (Redmine, doclib) or else PHP (layout web interface). Basically it goes something like this:

• The MediaWiki User table is defined here: https://www.mediawiki.org/wiki/Manual:User_table You'll should need only the user_name and user_password columns, so it's up to you whether you want to make a full Model of the table or not. The MediaWiki version we use is new enough that you can use the latest table definition given.
• Ensure the mysql account you're using has select access on the chimewiki:user table. It should not be given additional grants.
• Excepting the first character, Usernames in MediaWiki are case sensitive. The first character in the Username provided by the user should be converted to upper case
• Find the appropriate record in the Mediawiki User table by matching the capitalised username provided against the user_name column and retrieve the user_password value for the user.
• Inspect the returned user_password value to determine the hashing method used for that password. This is explained in detail here: https://www.mediawiki.org/wiki/Manual:User_table#user_password
  • It's better to support all methods, but for legacy support reasons, the chimewiki currently stores all passwords using algorithm "B".
• Hash the user-supplied password according to the metadata in the password field.
• Compare that hash to the value extracted from the user_password field to authenticate

The Rails code I wrote might be worth taking a look at. You can find it on bao: /srv/home/dvw/bao/usr/share/redmine/app/models/auth_source_chimewiki.rb though note that the lazy way it gets the mysql server to hash the supplied password (using SELECT MD5(...)) is not network secure and is only okay because it's using a local socket on the same host as the MySQL server.

[nritsche]

How about using the mediawiki API for user authentication instead? https://pythonhosted.org/mwapi/session.html