Skip to content

[DTOSS-10297] basic auth for non-production environments#243

Closed
MatMoore wants to merge 10 commits intomainfrom
DTOSS-10297-basic-auth
Closed

[DTOSS-10297] basic auth for non-production environments#243
MatMoore wants to merge 10 commits intomainfrom
DTOSS-10297-basic-auth

Conversation

@MatMoore
Copy link
Copy Markdown
Contributor

@MatMoore MatMoore commented Jul 30, 2025

Description

This PR adds a login page that authenticates using HTTP basic authentication, configured by environment variables.
This is integrated with django.contrib.auth so that request.user.is_authenticated is True. The user that is logged in is based on the username from the basic auth.

This page is only shown if BASIC_AUTH_ENABLED is set.

Login is now required for every view except the login page.

How to test locally

  • run make seed again to load in the user
  • set BASIC_AUTH_* environment variables (see .env.tpl for an example)
  • when prompted, enter the username/password that match the env vars

Not done yet

  • setting the environment variables in the development environment
  • when we update to version 10 of the design system we will be able to show the logged in the user in the header
  • when we get to implementing CIS2, I was thinking we will add a separate login page containing the button
  • we talked about having the ability to switch users in non-production environments, which could be a separate page

Jira link

https://nhsd-jira.digital.nhs.uk/browse/DTOSS-10297

Review notes

  1. This uses basic authentication as that's what we agreed on the ticket. But having done this, I feel like it would be simpler to just use form based authentication, as this way we can use the built in LoginView instead of the custom code.
  2. Assuming we keep the basic auth, the way I've implement is to add a /test-login URL that triggers the basic auth. If the auth is successful it redirects to the homepage. But alternatively I could move this to a middleware that triggers on every request, and passes through to the view on success. This is slightly neater as it avoids a redirect, and would simplify our playwright tests. What do you think?
  3. Can you think of a better way of naming the view, to avoid TestTestEnvironmentLogin in the tests?

MatMoore added 6 commits July 30, 2025 14:40
@MatMoore
feat: add an option to configure basic auth via the environment
e27cd93 
This will be used for non-production environments. These environments
contain public code and public data, so we don't need to secure
authentication, but we want to prevent people outside of the team from
mistaking it for a real service, so we will use basic authentication
on those environments (as with the prototype)
@MatMoore
feat: add helper for decoding authorisation header
5a0c363
@MatMoore
feat: add auth backend for supporting basic auth
9515b75
@MatMoore
feat: add login page for basic auth
d9e964d
@MatMoore
feat: require login on all pages
e295b05
@MatMoore
feat: configuration for basic authentication
a6ede01
@MatMoore MatMoore force-pushed the DTOSS-10297-basic-auth branch from 821421f to a6ede01 Compare July 30, 2025 13:53
MatMoore added 4 commits July 30, 2025 15:26
@MatMoore
refactor: do basic auth in middleware, rather than a separate view
f3c8040 
this removes the need for an extra URL and the redirect behaviour
@MatMoore
fix failing test
34191f9 
(not sure why this wasn't failing before)
@MatMoore
fixup system test
efd875a
@MatMoore
tests: enable large diffs
c2a34cc
@MatMoore MatMoore closed this Jul 30, 2025
@MatMoore MatMoore mentioned this pull request Jul 30, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MatMoore