Vladimir Dyuzhev, author of MockMotor

Vladimir Dyuzhev
MockMotor Creator

Basic HTTP Auth Mock


To enforce Basic HTTP Auth, use response with HTTP 401 when the request has no `Authorization` header.

For simplicity, MockMotor doesn’t require any authentication for incoming calls. However, sometimes the authentication exchange is the part that we need to test.

No problem, let’s simulate the Basic HTTP Auth logic.

What is Basic HTTP Auth

Basic HTTP Auth is one of the simplest ways to authenticate a web request. It sends a username and a password encoded (but not encrypted!) with each request.

Because the password can be read from the request, it is not secure when used over a plain HTTP connection.

Client-Server Exchange

A classic, two-request Basic HTTP Auth exchange goes like this:

1 A client calls a server with a web request.

POST http://127.0.0.1:7080/SelfTest/ForwardAuth HTTP/1.1
Content-Type: text/xml;charset=UTF-8
Content-Length: 44
Host: 127.0.0.1:7080

<HelloKitty>
	<Data>123</Data>
</HelloKitty>

2 The server notices that the request is not authenticated: Authorization HTTP header is missing.
3 The server responds with status HTTP 401 and a header WWW-Authenticate: Basic.

HTTP/1.1 401 Unauthenticated
WWW-Authenticate: Basic realm="accounting"
...

4 The client combines the username and the password into one string separating them with a colon, e.g. accounting:passw0rd, and encodes it as Base64, e.g. YWNjb3VudGluZzpwYXNzdzByZA==
5 The request is repeated with the same payload and a new HTTP header Authorization: Basic YWNjb3VudGluZzpwYXNzdzByZA==

POST http://127.0.0.1:7080/SelfTest/ForwardAuth HTTP/1.1
Authorization: Basic YWNjb3VudGluZzpwYXNzdzByZA==
Content-Type: text/xml;charset=UTF-8
Content-Length: 44
Host: 127.0.0.1:7080

<HelloKitty>
	<Data>123</Data>
</HelloKitty>

6 The server reads Authorization HTTP header from the request, extracts the username and the password from it and permits (or denies) the access.

HTTP/1.1 200 OK
Date: Mon, 25 Dec 2017 00:17:25 GMT
Content-Type: text/xml; charset=UTF-8
Content-Length: 750

<HelloKittyResponse>
...

Pre-Authentication

As you can notice, each transaction authenticated with Basic HTTP requires two HTTP requests. That takes extra network roundtrip time, increases the network saturation and consumes more resources on the client and the server. To remedy this problem, the client can pre-authenticate the request.

With a pre-authenticated request, the client sends the Authorization header with its first request and not waiting for HTTP 401 response. In other words, it starts right from step 4.

In fact, if the client doesn't pre-authenticate, you should point it out as a performance issue and fix it.

How to Mock Basic HTTP Auth

If you need to reproduce the server Basic HTTP Auth behaviour, create a response that matches only if Authorization header is NOT present. This response must be the first on the list. In that response, reply with HTTP 401.

If the Authorization header is found, MockMotor continues searching down the list, i.e. any response under the Reject ... is guaranteed to be authenticated.

Here is the full configuration of Reject unauthenticated requests response (unrelated sections are hidden):

1 The request matches only if the Authorization header is missing.
2 The response payload is a plain text string advising to authenticate.
3 HTTP Status is 401.
4 HTTP header WWW-Authenticate with value Basic added to the response.

Of course, the performed match is not too strict. We only check for the header presence, while we could also check for the specific type of Authorization (Basic) and even for the correctness of username and password values. However, this basic level of simulation is usually enough for testing. Feel free to improve the checks if it is required.

Check out Basic HTTP Auth on the demo site.