GSoC is coming to a close, so these few weeks have been mostly about wrapping things up. This is good for me as well because college has taken a toll so I have less and less time to spend, but I believe I have enough to have the module at a good position before GSoC closes.
WWW-Authenticate is a HTTP header which is used to identify which protocols the server supports. If a server supports multiple WWW-Authenticate headers, it can send it multiple times to identify different protocols. For example: Drupal can send WWW-Authenticate: Hawk and WWW-Authenticate: Basic for identifying that it supports Hawk and Basic Auth. However, Drupal at the moment doesn’t have support for gathering and sending multiple header values from different modules due to the way it handles 401 Authentication Required exception. I will be working on allowing multiple protocols to send WWW-Authenticate so that multiple auth protocols can be identified at the same time.
Testing Hawk and Basic Auth together
I also spent a considerable amount testing these two protocols together, here is a summary of my findings but in summary: Both protocols work well individually but if a client sends requests containing both protocol’s headers at the same time it would cause either to fail due to the way HTTP protocol dictates concatenation of header values. HTTP recommends allowing only a single protocol in one request in order to have fewer points of failure so for the moment I believe this behaviour is fine, however if it is deemed beneficial to allow multiple protocols within same request it is always a possibility.
For now that is all, I’ll be dealing with WWW-Authenticate issue and documentation during my last week of GSoC.
Thank you for reading!