Note that Basic authentication, should only be used over HTTPS (SSL) or within secure network. In HTTP protocol
Authorization header (as well as other parts of the HTTP request) are plain text and are not encrypted!
AuthBackendBasic documentation first of all we need to provide an authentication function. It should take 2 arguments -
password and return
logical value - whether access is allowed for a given user or not.
Now we can create authentication backend.
Now let’s create application which requires authorization in order to use
Let’s add two endpoints - first public (
/factorial) and second with restricted access (
As we can see first endpoint doesn’t require any authentication:
Let’s try to send a request without credentials to the second endpoint:
As expected this gives
Now let’s add correct credentials:
Let’s see what happens if password is wrong:
credentials = jsonlite::base64_enc("user-1:password-2") headers = list("Authorization" = sprintf("Basic %s", credentials)) req = Request$new( path = "/secure/factorial", parameters_query = list(x = "5"), headers = headers ) res = app$process_request(req) res$body #>  "401 Invalid Username/Password"
Bearer authentication (also called “token” authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources.
Bearer authentication scheme was originally created as part of
OAuth 2.0 in RFC 6750, but is sometimes also used on its own. Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).
As an alternative to requiring authentication for a single endpoint we can make it mandatory for all endpoints which start with certain pattern:
Request with valid token to
Request with invalid token to
Request to endpoint which doesn’t require authorization: