Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDN hosting SDK artifacts should return WWW-Authenticate: Basic realm=... header alongside 401s #2144

Open
djs-code opened this issue Mar 13, 2024 · 0 comments
Open

CDN hosting SDK artifacts should return WWW-Authenticate: Basic realm=... header alongside 401s #2144

djs-code opened this issue Mar 13, 2024 · 0 comments

Comments

@djs-code
Copy link

(This is more of an hosting configuration request than it is an iOS SDK one, but I'm not currently aware of a better place to post this, so here we go.)

New Feature

The CDN (which looks to be Cloudfront, based on the HTTP responses I'm seeing) hosting the MapBox SDK artifacts should return WWW-Authenticate: Basic realm=... header alongside 401 responses.

Why

The current standard of configuring ~/.netrc files for authenticating with MapBox's CDN works well for personal development environments, but can be somewhat brittle in CI pipelines, especially those that run on bare metal without containerization.
One potential alternative here is to allow Mapbox's various Package.swifts to accept credentials from environment variables and bake them into the URLs themselves. As an example, the following code from mapbox-common-ios's Package.swift:

targets: [
    .binaryTarget(
        name: "MapboxCommon",
        url: "https://api.mapbox.com/downloads/v2/mapbox-common/releases/ios/packages/\(version)/MapboxCommon.zip",
        checksum: checksum
    ),

would be transformed into:

targets: [
    .binaryTarget(
        name: "MapboxCommon",
        url: {
            var urlComponents = URLComponents()
            urlComponents.scheme = "https"
            urlComponents.host = "api.mapbox.com"
            urlComponents.user = ProcessInfo.processInfo.environment["MAPBOX_API_USERNAME"]
            urlComponents.password = ProcessInfo.processInfo.environment["MAPBOX_API_PASSWORD"]
            urlComponents.path = "/downloads/v2/mapbox-common/releases/ios/packages/\(version)/MapboxCommon.zip"
            
            return urlComponents.url!.absoluteString
        }(),
        checksum: checksum
    ),

This change would continue to be fully backwards compatible with having a ~/.netrc file, but also allow users to authenticate in CI using only environment variables. This is a code change I myself would be up to volunteer contributing to the various open source repositories.

However, SPM has hitch necessitating the need for the aforementioned Cloudfront addition.

Even though the manual curl https://<username>:<password>@api.mapbox.com/downloads/v2/mapbox-common/releases/ios/packages/24.2.1/MapboxCommon.zip command works as expected, SPM will proactively strip out the provided URL's embedded credentials, perform the GET request, and only upon a 401 response code AND the presence of the WWW-Authenticate: Basic realm=... header will it retry the request with the previously stripped credentials Base64-encoded into the Authorization header.

Based on some cursory HTTP debugging, it looks like the Cloudfront instance Mapbox's binary artifacts are distributed from do not include the WWW-Authenticate: Basic realm=... header upon 401s.
mapbox-github-ci-writer-public-1 bot pushed a commit that referenced this issue May 8, 2024
@aleksproger @maios @OdNairy
Prepare release branch for v11.4.0-rc.1 (#2144)
8cd645e 
Co-authored-by: Mai Mai <[email protected]>
Co-authored-by: Roman Gardukevich <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@djs-code