perusio
Security: Misconfigurations can expose authenticated areas
I was experimenting with auth_request today and realized there is a fairly scary pitfall awaiting server admins who may inadvertently trigger responses in the 200-300 range at their authentication endpoints.
For example, imagine you write some PHP to handle your auth requests. If PHP becomes misconfigured (perhaps by an errant upgrade, nginx accident, etc.), the PHP scripts become static files that will be served up happily with a 200 code, resulting in authentication succeeding for all clients. This may even fail silently for some setups.
It would be easy to prevent mistakes like this by providing a specific HTTP code in the auth_request directive that the endpoint should return. Perhaps if you added a second argument the user could define an obscure, unused HTTP code to match instead. This is safer since it requires affirmative responses from the auth endpoint rather than risk an accidental 200 due to misconfiguration (which, let's admit, happens from time to time).
