ODK Collect form download authentication

Am I right in understanding that ODK Collect (version 1.4.5 build 1048)
will not use authentication to download forms? It's not working for me, and
I don't see any authentication in DownloadFormsTask.java
https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/tasks/DownloadFormsTask.java?repo=collect
.

According to the OpenRosa spec it should be able to:

  • is a fully formed URL for downloading the form to the
    device. It may be a valid http or https URL of any structure; the
    server may require authentication
    ; the server may require a secure
    (https) channel, etc.

This seems important to me, since there can be cases where the form, even
without data, contains private / confidential information. As far as I can
see on ODK Aggregate and all ODK platforms all forms can be downloaded by
anyone if they know the URL, which often is not obscure. Am I missing
something?

Gregor

Incorrect.

On ODK Aggregate, access requires a user with data collector or data viewer
permissions:
https://code.google.com/p/opendatakit/source/browse/eclipse-aggregate-gae/war/WEB-INF/applicationContext-security.xml?repo=aggregate#84

In ODK Collect, the configuration of the HttpClient enables authentication:

https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#247

Digest auth treatments are handled by the framework and require that the
user's credentials be added to the CredentialsProvider:

https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#147

Basic auth (plaintext username and password) are sent pre-emptively if the
server connection is using https (is secured):

https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#336

··· On Fri, Mar 13, 2015 at 4:55 PM, Gregor MacLennan < gmaclennan@digital-democracy.org> wrote:

Am I right in understanding that ODK Collect (version 1.4.5 build 1048)
will not use authentication to download forms? It's not working for me, and
I don't see any authentication in DownloadFormsTask.java
https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/tasks/DownloadFormsTask.java?repo=collect
.

According to the OpenRosa spec it should be able to:

  • is a fully formed URL for downloading the form to
    the device. It may be a valid http or https URL of any structure; the
    server may require authentication
    ; the server may require a secure
    (https) channel, etc.

This seems important to me, since there can be cases where the form, even
without data, contains private / confidential information. As far as I can
see on ODK Aggregate and all ODK platforms all forms can be downloaded by
anyone if they know the URL, which often is not obscure. Am I missing
something?

Gregor

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Thanks for clarifying Mitch. I will debug my server code to figure out why
ODK was refusing authenticating to it for form downloads.
Gregor

··· On Saturday, March 14, 2015 at 9:20:11 AM UTC-7, Mitch wrote: > > Incorrect. > > On ODK Aggregate, access requires a user with data collector or data > viewer permissions: > > https://code.google.com/p/opendatakit/source/browse/eclipse-aggregate-gae/war/WEB-INF/applicationContext-security.xml?repo=aggregate#84 > > In ODK Collect, the configuration of the HttpClient enables authentication: > > > https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#247 > > Digest auth treatments are handled by the framework and require that the > user's credentials be added to the CredentialsProvider: > > > https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#147 > > Basic auth (plaintext username and password) are sent pre-emptively if the > server connection is using https (is secured): > > > https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#336 > > > > On Fri, Mar 13, 2015 at 4:55 PM, Gregor MacLennan < gmacl...@digital-democracy.org > wrote: > >> Am I right in understanding that ODK Collect (version 1.4.5 build 1048) >> will not use authentication to download forms? It's not working for me, and >> I don't see any authentication in DownloadFormsTask.java >> >> . >> >> According to the OpenRosa spec it should be able to: >> >> >>> - is a fully formed URL for downloading the form to >>> the device. It may be a valid http or https URL of any structure; *the >>> server may require authentication*; the server may require a secure >>> (https) channel, etc. >>> >>> >> This seems important to me, since there can be cases where the form, even >> without data, contains private / confidential information. As far as I can >> see on ODK Aggregate and all ODK platforms all forms can be downloaded by >> anyone if they know the URL, which often is not obscure. Am I missing >> something? >> >> Gregor >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "ODK Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to opendatakit-developers+unsubscribe@googlegroups.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Mitch Sundt > Software Engineer > University of Washington > mitche...@gmail.com >

Turns out that the lack of a 'user-agent' header was causing the 403, not
an issue with authorization. 'user-agent' should be set
http://tools.ietf.org/html/rfc2616#section-14.43 but it's not a
requirement. Would be nice if ODK Collect set it though for apis that
require it.

··· On Sunday, March 22, 2015 at 6:50:06 PM UTC-7, Gregor MacLennan wrote: > > Thanks for clarifying Mitch. I will debug my server code to figure out why > ODK was refusing authenticating to it for form downloads. > Gregor > > > On Saturday, March 14, 2015 at 9:20:11 AM UTC-7, Mitch wrote: >> >> Incorrect. >> >> On ODK Aggregate, access requires a user with data collector or data >> viewer permissions: >> >> https://code.google.com/p/opendatakit/source/browse/eclipse-aggregate-gae/war/WEB-INF/applicationContext-security.xml?repo=aggregate#84 >> >> In ODK Collect, the configuration of the HttpClient enables >> authentication: >> >> >> https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#247 >> >> Digest auth treatments are handled by the framework and require that the >> user's credentials be added to the CredentialsProvider: >> >> >> https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#147 >> >> Basic auth (plaintext username and password) are sent pre-emptively if >> the server connection is using https (is secured): >> >> >> https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/utilities/WebUtils.java?repo=collect#336 >> >> >> >> On Fri, Mar 13, 2015 at 4:55 PM, Gregor MacLennan < gmacl...@digital-democracy.org> wrote: >> >>> Am I right in understanding that ODK Collect (version 1.4.5 build 1048) >>> will not use authentication to download forms? It's not working for me, and >>> I don't see any authentication in DownloadFormsTask.java >>> >>> . >>> >>> According to the OpenRosa spec it should be able to: >>> >>> >>>> - is a fully formed URL for downloading the form to >>>> the device. It may be a valid http or https URL of any structure; *the >>>> server may require authentication*; the server may require a secure >>>> (https) channel, etc. >>>> >>>> >>> This seems important to me, since there can be cases where the form, >>> even without data, contains private / confidential information. As far as I >>> can see on ODK Aggregate and all ODK platforms all forms can be downloaded >>> by anyone if they know the URL, which often is not obscure. Am I missing >>> something? >>> >>> Gregor >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "ODK Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to opendatakit-developers+unsubscribe@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Mitch Sundt >> Software Engineer >> University of Washington >> mitche...@gmail.com >> >

Created an issue to track this:
https://code.google.com/p/opendatakit/issues/detail?id=1122

··· On Tue, Mar 24, 2015 at 5:51 PM, Gregor MacLennan < gmaclennan@digital-democracy.org> wrote:

Turns out that the lack of a 'user-agent' header was causing the 403, not
an issue with authorization. 'user-agent' should be set
http://tools.ietf.org/html/rfc2616#section-14.43 but it's not a
requirement. Would be nice if ODK Collect set it though for apis that
require it.

On Sunday, March 22, 2015 at 6:50:06 PM UTC-7, Gregor MacLennan wrote:

Thanks for clarifying Mitch. I will debug my server code to figure out
why ODK was refusing authenticating to it for form downloads.
Gregor

On Saturday, March 14, 2015 at 9:20:11 AM UTC-7, Mitch wrote:

Incorrect.

On ODK Aggregate, access requires a user with data collector or data
viewer permissions:
https://code.google.com/p/opendatakit/source/browse/
eclipse-aggregate-gae/war/WEB-INF/applicationContext-
security.xml?repo=aggregate#84

In ODK Collect, the configuration of the HttpClient enables
authentication:

https://code.google.com/p/opendatakit/source/browse/src/
org/odk/collect/android/utilities/WebUtils.java?repo=collect#247

Digest auth treatments are handled by the framework and require that the
user's credentials be added to the CredentialsProvider:

https://code.google.com/p/opendatakit/source/browse/src/
org/odk/collect/android/utilities/WebUtils.java?repo=collect#147

Basic auth (plaintext username and password) are sent pre-emptively if
the server connection is using https (is secured):

https://code.google.com/p/opendatakit/source/browse/src/
org/odk/collect/android/utilities/WebUtils.java?repo=collect#336

On Fri, Mar 13, 2015 at 4:55 PM, Gregor MacLennan < gmacl...@digital-democracy.org> wrote:

Am I right in understanding that ODK Collect (version 1.4.5 build 1048)
will not use authentication to download forms? It's not working for me, and
I don't see any authentication in DownloadFormsTask.java
https://code.google.com/p/opendatakit/source/browse/src/org/odk/collect/android/tasks/DownloadFormsTask.java?repo=collect
.

According to the OpenRosa spec it should be able to:

  • is a fully formed URL for downloading the form to
    the device. It may be a valid http or https URL of any structure; the
    server may require authentication
    ; the server may require a
    secure (https) channel, etc.

This seems important to me, since there can be cases where the form,
even without data, contains private / confidential information. As far as I
can see on ODK Aggregate and all ODK platforms all forms can be downloaded
by anyone if they know the URL, which often is not obscure. Am I missing
something?

Gregor

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com