Support

Akeeba Backup for Joomla!

#25978 Akeeba Backup HTTP basic authentication bug

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by jdagenais on Monday, 29 August 2016 10:59 CDT

Thursday, 25 August 2016 13:58 CDT

jdagenais
EXTREMELY IMPORTANT: Please attach a ZIP file containing your Akeeba Backup log file in order for us to help you with any backup or restoration issue. If the file is over 2Mb, please upload it on your server and post a link to it.

Description of my issue:

I had activate the HTTP Basic Authentication on my website but it broke my access to Akeeba Backup backend. I get a 403 error code. I had a Joomla account with the same username that my http basic auth username. If I delete the Joomla account with the same username, it seems to works.

After some research, I found that in the file "/librairies/fof30/TransparentAuthentication/TransparentAuthentication.php", the method getTransparentAuthenticationCredentials() returns the PHP_AUTH_USER and the PHP_AUTH_PW that corresponds to my http basic auth username and tries to connect to the Joomla backend with this username. It works only if this account doesn't exists in Joomla.

There is a way to use the HTTP basic auth and create a Joomla account with the same username ?

Thanks

Friday, 26 August 2016 03:07 CDT

nicholas
That's interesting. There's an obvious bug in our dispatcher, actually. It should check if a user is logged in before engaging transparent authentication. Even more interesting is why we never caught this bug.

It seems that PHP running in CGI/FastCGI mode doesn't set the two PHP_AUTH_* variables. So, these variables are only set when you're using PHP as an Apache module (mod_php) which is extremely rare nowadays. Needless to say, all of our development servers and live servers are running PHP under FastCGI so we can easily switch between PHP versions. Therefore the standard setup we are using to make sure our software runs across all supported PHP versions has the unintended consequence of triggering an incompatibility between PHP and Apache that prevents the bug from becoming obvious. Sure enough, as soon as I changed the development server to use PHP as an Apache module the bug manifested itself and I was able to fix it.

In any case, there's a simple fix which we'll include in the next release. In the file libraries/fof30/Dispatcher/Dispatcher.php line 120 change this
			// Perform transparent authentication
			$this->transparentAuthenticationLogin();

with this
		// Perform transparent authentication
		if ($this->container->platform->getUser()->guest)
		{
			$this->transparentAuthenticationLogin();
		}


Thank you very much for reporting this!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 29 August 2016 10:59 CDT

jdagenais
Thanks you, it works now!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!