On 2024/04/16 12:22:53 +0200, Stefan Sperling <stsp@stsp.name> wrote:
> One thing I don't quite understand is how our regress verifies
> authentication.

The client is expected to send the "$username:$password" string in the
header, and the server to decode it and then look it up somewhere.

Several server supports the .htpasswd file format (where password are
actually encrypted unlike the HTTP header), but it's an implementation
detail.

> The HTTP server seems to compare the auth token
> to a known base64 encoded value?

exactly.  i assumed the server wants username "flan" and password
"password" and hardcoded the resulting base64 encoded string.  Any value
username/password pair could do, it's the server that has to verify it.

There are no nonces, signature or fancy stuff in here.  I believe the
base64 requirement is just to avoid having to deal with escaping of
special characters.

> Could we use some Perl module
> to check whether a real web server will accept the token we send?

Not sure, it would just boil down to what we already have.  It could be
interesting to write a test case that uses the wrong credentials, or
none where it's required, to make sure got-notify-http handles correctly
http failures, but it seems hard to write since it's invoked by gotd.