On 17/09/05, Ævar Arnfjörð Bjarmason avarab@gmail.com wrote:
Isn't it possible to just use HTTP authentication with RSS/Atom feeds? Or is this a problem for some reason?
[snip]
- where Brion points out that even if most RSS readers can use HTTP
authentication, MediaWiki can't, so it's not really all that helpful.
Well that could be fixed.
Yes, but saying "just use HTTP authentication" makes it sound like this is somehow the easy option. Implementing a whole new authentication scheme into MediaWiki just to let people have RSS watchlists isn't something I'd call easy...
Besides, given the range of readers people use to access RSS feeds, is HTTP-Auth even the best way to go? Think of a web-based aggregator, for instance, where the user-agent connecting to the MediaWiki server is essentially a bot on the server, with no visibility to the actual user - the user will have no chance to respond to an authentication challenge.
So the obvious alternative is to tell them to put their username and password into a "user:pass@host" format, to see if that works - but that means entering the password to their whole account in plain text, on a site which may or may not be all that trustworthy.
So instead of using the normal password, we let them use a special "watchlist password", which since they can just use copy-and-paste might as well be a randomly generated token. And then, to avoid things not recognising the "user:pass@host" format, we can just put that random token at the end of a special URL (it's not really logging them in anyway); in which case, we don't need to bother implementing HTTP Authentication after all.
And so we've come round full circle - a special URL containing a randomly generated token.