mapbox-maps-ios icon indicating copy to clipboard operation
mapbox-maps-ios copied to clipboard
verified publisher icon mapbox

CDN hosting SDK artifacts should return `WWW-Authenticate: Basic realm=...` header alongside 401s

Open djs-code opened this issue 1 year ago • 0 comments

(This is more of an hosting configuration request than it is an iOS SDK one, but I'm not currently aware of a better place to post this, so here we go.)

New Feature

The CDN (which looks to be Cloudfront, based on the HTTP responses I'm seeing) hosting the MapBox SDK artifacts should return WWW-Authenticate: Basic realm=... header alongside 401 responses.

Why

The current standard of configuring ~/.netrc files for authenticating with MapBox's CDN works well for personal development environments, but can be somewhat brittle in CI pipelines, especially those that run on bare metal without containerization.
One potential alternative here is to allow Mapbox's various Package.swifts to accept credentials from environment variables and bake them into the URLs themselves. As an example, the following code from mapbox-common-ios's Package.swift:

targets: [
    .binaryTarget(
        name: "MapboxCommon",
        url: "https://api.mapbox.com/downloads/v2/mapbox-common/releases/ios/packages/\(version)/MapboxCommon.zip",
        checksum: checksum
    ),

would be transformed into:

targets: [
    .binaryTarget(
        name: "MapboxCommon",
        url: {
            var urlComponents = URLComponents()
            urlComponents.scheme = "https"
            urlComponents.host = "api.mapbox.com"
            urlComponents.user = ProcessInfo.processInfo.environment["MAPBOX_API_USERNAME"]
            urlComponents.password = ProcessInfo.processInfo.environment["MAPBOX_API_PASSWORD"]
            urlComponents.path = "/downloads/v2/mapbox-common/releases/ios/packages/\(version)/MapboxCommon.zip"
            
            return urlComponents.url!.absoluteString
        }(),
        checksum: checksum
    ),

This change would continue to be fully backwards compatible with having a ~/.netrc file, but also allow users to authenticate in CI using only environment variables. This is a code change I myself would be up to volunteer contributing to the various open source repositories.

However, SPM has hitch necessitating the need for the aforementioned Cloudfront addition.

Even though the manual curl https://<username>:<password>@api.mapbox.com/downloads/v2/mapbox-common/releases/ios/packages/24.2.1/MapboxCommon.zip command works as expected, SPM will proactively strip out the provided URL's embedded credentials, perform the GET request, and only upon a 401 response code AND the presence of the WWW-Authenticate: Basic realm=... header will it retry the request with the previously stripped credentials Base64-encoded into the Authorization header.

Based on some cursory HTTP debugging, it looks like the Cloudfront instance Mapbox's binary artifacts are distributed from do not include the WWW-Authenticate: Basic realm=... header upon 401s.

djs-code avatar Mar 13 '24 22:03 djs-code