On 17/09/05, Ævar Arnfjörð Bjarmason <avarab(a)gmail.com> wrote:
> > Isn't it possible to just use HTTP
authentication with RSS/Atom feeds?
> > Or is this a problem for some reason?
[snip]
> - where Brion points out that even if most RSS
readers can use HTTP
> authentication, MediaWiki can't, so it's not really all that helpful.
Well that could be fixed.
Yes, but saying "just use HTTP authentication" makes it sound like
this is somehow the easy option. Implementing a whole new
authentication scheme into MediaWiki just to let people have RSS
watchlists isn't something I'd call easy...
Besides, given the range of readers people use to access RSS feeds, is
HTTP-Auth even the best way to go? Think of a web-based aggregator,
for instance, where the user-agent connecting to the MediaWiki server
is essentially a bot on the server, with no visibility to the actual
user - the user will have no chance to respond to an authentication
challenge.
So the obvious alternative is to tell them to put their username and
password into a "user:pass@host" format, to see if that works - but
that means entering the password to their whole account in plain text,
on a site which may or may not be all that trustworthy.
So instead of using the normal password, we let them use a special
"watchlist password", which since they can just use copy-and-paste
might as well be a randomly generated token. And then, to avoid things
not recognising the "user:pass@host" format, we can just put that
random token at the end of a special URL (it's not really logging them
in anyway); in which case, we don't need to bother implementing HTTP
Authentication after all.
And so we've come round full circle - a special URL containing a
randomly generated token.
--
Rowan Collins BSc
[IMSoP]