I have a login screen where I need to get the user credentials. Is there a way I can check these are valid (i.e. that the user exists and the password is correct), before any ACLs etc?
e.g. curl …/users/me -u admin:changeit
I have a login screen where I need to get the user credentials. Is there a way I can check these are valid (i.e. that the user exists and the password is correct), before any ACLs etc?
e.g. curl …/users/me -u admin:changeit
Hi Jeremy,
I don’t know if this is the way to go, but when tracing the request for the ESDB UI login the following request returns 200 or 401. It seems to work regardless of the group the user belongs to:
curl --location --request GET 'https://localhost:2113/info' --header 'Authorization: Basic YWRtaW46Y2hhbmdlaXQ='
HTH. Cheers,
Peter
Good Day
Yes, that does work. However, I do have a question: If you curl without any authentication, it also works! The documentation at EventStore Security says that authentication is not applied to certain endpoints (including /info
). Is this a security risk (exposing system information over the public internet without any authentication?)
Hi Jeremy,
I don’t know your specific use case obviously, but I would always try to prevent making components like esdb publicly available. What are you trying to accomplish?
Cheers,
Peter