[dev] available api authentication routines?

[Eric Rostetter]

Quoting Chuck Hagenbuch <chuck@horde.org>:

> Quoting Eric Rostetter <eric.rostetter@physics.utexas.edu>:
> 
> > 1) Is there any Horde or Horde component API call that will return a
> > username *and* password for the current user?  (Say, can I query IMP or 
> > Gollem to get the authentication username/password for the current 
> > session)  Yes, I do understand why allowing such a call would be 
> > dangerous...  But I still want to know if there is one (or are any plans 
> > for one) or not.
> 
> Looks like you found it, but, for the archives: Auth::getAuth() and 
> Auth::getCredential('password').

Thanks!  Do any of the other modules have a similar API (IMP, Gollem?).
(In case you have, say, seperate authentication for Horde and IMP)
 
> > 2) Is there any Horde/component API call that will verify a 
> > username/password combination without actually creating a login session?  
> > So if I have some username/password combination, can I test them to see 
> > if they are correct via some supported call?
> 
> Auth::authenticate() will set the session variables. We currently don't 
> have a call that only checks auth; if it's needed, I'd be happy to add one 
> to the API.

It would seem to be a good idea to me.  There are still issues, but
it might provide some functionality for my passwd module...

Let me bounce something off you developers...  In the forward/vacation modules,
there is a real strong demand from the users of the modules to being able to
display the current settings without having to enter a username/password.  
(This is not my idea -- I've resisted it until this week.  But the demand is 
so great, I'm finally considering giving in).  

Anyway, to get the current settings, I need the username and password.  So I
can get the Horde username/password via the above Auth:: calls, no problem.  
However, there is no guarantee that this Horde login username/password is
the same as the one needed to login via ftp, so this may still not work in
all cases.  But whenever I point this out, the users say "yeah, but in most
cases it will be, so you should do it anyway..."  So the idea would be to
make this a config option the admin could allow/disallow.  They would still
need to enter the password to *change* the info, so that if the user walks
away with the web browser logged in to Horde, someone else can't just play
willy-nilly with the password/forwards/vacations.  But it would allow them
to see the forwards/vacations (if possible) before they start, and/or to
verify they were really set/removed/changed when they use the form.

So, other than the fact that the Horde password may not match the ftp
password, and issues with users leaving themselves logged in when they
shouldn't, are there any other issues I need to consider here?  And is this
something the Horde developement people would support or not?

> Btw, in response to your documentation questions, the API docs there are a 
> possible place for them; we also could use some presentation/tutorial style 
> docs dealing with our APIs as well. It's a matter of someone having the 
> motivation to write them.

What is the possible place for them?  I'd like to see also maybe an
"example code usage" section added as needed.  Want to work together a 
bit on getting this started?  I'm not saying I'd be willing or able to
provide details for all the api calls.  But we could start piecemeal as
long as we have a standard way of doing it.
 
> -chuck

-- 
Eric Rostetter
Eric.Rostetter@physics.utexas.edu
The Department of Physics
The University of Texas at Austin

Quidquid latine dictum sit, altum viditur.