Support for Basic HTTP Authentication #983
Description
Description
As a user of the OSCAL Catalog Viewer, I would like the to view OSCAL catalogs that are hosted at a URL that has been secured using Basic HTTP authentication.
Acceptance Criteria
- When a URL is supplied in the
OSCAL Catalog URLtextbox and theReloadbutton is selected, the system should inject the necessary headers in accordance with The 'Basic' HTTP Authentication Scheme and make an authenticated request to fetch the catalog that will be subsequently rendered in the viewer. - Injection of credentials should be optional, and the app should be updated without any breaking changes.
- The credentials should be configurable on the client or the server.
- Credentials configured on the server should never be visible to clients, and requests made using credentials on the server, imply that the server will fetch the catalog by making an authenticated request, and then transmit the catalog data to the client.
Proposed Solution
Client Side Credentials
- Update the UI to with optional support for supplying credentials directly through the browser with the relevant checkboxes and text boxes to accept information from the user
- Update the logic to inject headers if the option for Basic Authentication (Client) is selected
Server Side Credentials
- Update the UI to be built and served from a container using Node, Express, Next.js or some other framework. Some preliminary guidance has been provided in the Create React App docs.
- Update the UI to have a checkbox that specifies the request will use basic authentication with credentials configured in the container (on the server). The label for the checkbox should be Basic Authentication (Server)
- Update the logic to support this type of request
- Provide a sample Docker build that showcases how to configure basic credentials as environment variables when the container image is built.