Forum Discussion

CarolineS's avatar
3 years ago

Best way to handle staging site basic auth?

Hi ya'll!

In working with developers who are attempting to integrate 3rd party systems with our Khoros Community platform, one of the first things we encounter is the fact that our Khoros staging site has http basic auth (the popup that appears on the browser when you attempt to access our staging URL) in addition to the Khoros user auth. 

I typically recommend that they get through the basic auth in their scripts / Postman via using a staging URL of the format https://basicAuthUsername:basicAuthPassword@[staging-url]

Is this the best way to do it?  

Whatever the recommended method is, it would be great if it was added to the Khoros API documentation as it's a very common stumbling block.

Thanks!!

  • Well, in Postman, instead of putting the auth as a URL, i'd suggest passing it as a header (Authorization Tab, Basic Auth). 

    Another, less desirable option would be to have HTACCESS removed on stage, and to prevent bots from crawling, add this to the page head content: 

    <#if config.getString("phase", "prod") == "stage"> <#-- disallow indexing for stage since HTACCESS is disabled -->
        <meta name="robots" content="noindex,nofollow">
    </#if>

     

    Obviously the problem with this is, stage would still be accessible via the broader internet.

6 Replies

  • MattV's avatar
    MattV
    Khoros Staff
    3 years ago

    If they are using a corporate network or VPN, you can contact support to have their corporate vpn IP address whitelisted on stage so they don't get the password prompt.

  • This isn't always possible (e.g. 3rd party devs who aren't on VPN); what do you recommend when not possible to whitelist?

  • MattV's avatar
    MattV
    Khoros Staff
    3 years ago

    Well, in Postman, instead of putting the auth as a URL, i'd suggest passing it as a header (Authorization Tab, Basic Auth). 

    Another, less desirable option would be to have HTACCESS removed on stage, and to prevent bots from crawling, add this to the page head content: 

    <#if config.getString("phase", "prod") == "stage"> <#-- disallow indexing for stage since HTACCESS is disabled -->
        <meta name="robots" content="noindex,nofollow">
    </#if>

     

    Obviously the problem with this is, stage would still be accessible via the broader internet.

  • Thanks! Does it work to send both the http basic auth AND your session key / whatever Khoros auth info that’s needed in the header? I’ve struggled with that a bit (but also don’t really know what I’m doing :))

  • MattV's avatar
    MattV
    Khoros Staff
    3 years ago

    Yes, you can do both at the same time.