Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add require login bypass tokens feature #222

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Conversation

roborourke
Copy link
Contributor

Intended for use with Lightouse / Qualys to check performance of non-prod envs.

Intended for use with Lightouse / Qualys to check performance of non-prod envs.
@roborourke roborourke requested a review from mattheu November 24, 2022 12:07
Copy link
Member

@mattheu mattheu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

@roborourke roborourke requested a review from kovshenin November 24, 2022 12:42
@ntwb
Copy link
Contributor

ntwb commented Nov 25, 2022

What's the chances of having this backported to v10 branch? 🙇🏼‍♂️

@roborourke
Copy link
Contributor Author

@ntwb its not a bug fix so I think your best option is to copy the functionality for now


use Altis;

const QUERY_ARG = 'altis-auth';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should ideally be passed through the Authorization header rather than as a query parameter, as the query parameter will end up in server logs/etc. Do the tools this was created for support this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure, @mattheu ?


if (
isset( $_GET[ QUERY_ARG ] ) &&
in_array( $_GET[ QUERY_ARG ], array_values( $tokens ), true )
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a security feature, this needs to use constant-time comparison of strings to avoid timing attacks; ideally hash_equals()


### Bypass Tokens

Bypass tokens are a way to allow tools like Lighthouse or Qualys access to development or staging environments using a unique query string token. This lets you check performance insights on non-production environments for non-logged in users so you can see the experience most site visitors will get.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what "Qualys" is here, is that referencing SSL Labs? If so, authentication isn't necessary for that in any case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants