[rt-users] R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

[Thomas Sibley]

On 01/02/2013 03:44 PM, Scotto Alberto wrote:
> Yep! That's something I was mumbling about.
> 
> Thanks to you, I've just given it a try.
> It's not that easy peasy: REST returns 200 even if you are not authenticated. But you can deduce if you have been auth'd from the HTML page you get, searching for 'span id="not-logged-in" ', for example.

REST should never return HTML.  Try an existing endpoint under
/REST/1.0/ instead of just that top level dir.

> What about the security point of view of the two methods of auth (my script vs REST)?
> Assuming RT is reachable via https, can it be any worse than executing a script via ssh?

1) You don't have to replicate the RT::Authen::ExternalAuth handling,
since it'll all Just Work if you treat the web interface as an auth
endpoint.

2) You won't suffer arbitrary code execution vulnerabilities in your ssh
exec wrapper.

3) It doesn't require your PHP app to live on the same server as RT's
source code and config.