Allow DE using SDMX-RI authentication to connect to external NSI web service
As Fadhila,
I want in the DE to be able to authenticate to external data spaces using basic HTTP authentication,
So that when being forwarded by the DLM I can preview structures and data that come from external secured instances of the ISTAT toolkit or of SDMX-RI.
Requirements
Implement a mechanism to connect from DE to specific external NSI web services using the native NSI authentication mechanism (implemented by Eurostat and used by ISTAT) based on HTTP basic access authentication (BA). The DE user should be able to enter the required credentials in the DE GUI per external data space that is configured to require BA (through a new config option in datasources.json). Note that authentication is an option but might not be required by that service because anonymous users could be allowed to see the fully public data.
Because the BA field has to be sent in the header of each HTTP request for that data space, the web browser needs to cache the credentials for the current session to avoid constantly prompting the user for their username and password.
The credentials (username, password) should be requested to be entered by the user in a simple popup dialog on the first usage of that data space within the session. The data space should be mentioned in the popup, e.g. with title "Login to [space]".
Whenever the user name or password fields are not filled (e.g. at first usage), the "Connect anonymously instead" checkbox is automatically checked. Whenever the user enters a user name or a password then the checkbox is automatically unchecked. If the user checks again the checkbox then the username and password field are cleared.
The user cannot cancel the popup dialog.
Once the "Login" button is clicked, whether with credentials or anonymous, it needs to be checked if the NSI call is unsuccessful due to incorrect credentials (unauthenticated request), which can be done through checking that the NSI returned a HTTP 401 error (Unauthorized). In this case, the credential dialog reappears and states "Unauthorized: please enter a valid username and password".
The credential popup should be made in a way that allows standard web browsers to automatically store and manage the credentials in the browser's inbuilt password manager.
All mentioned labels are to be localised, and can be shared with the similar popup of the DLM.
Technical analysis results:
- we are using axios lib which support Basic Auth feature
- the response to the connection request should return the auth credentials
- we will store in the localStorage the session with the auth credentials, the username, the password and the datasource id
- not for internal which will use the Bearer token of keycloak
PM: if possible share the credential storage between DLM and DE (since DE is used as data previewer).
if a specific external datasource replies 401 or if the config option is set for that space, a popup is shown to handle basic auth.
it means that the request api needs to be updated to support this new behaviour if external:
- check localStorage
- if not new datasource config option to require authentication: normal/current flow (ignore all following steps)
- if new datasource config option to require authentication: show auth popup ("Please enter a username and password")
- if credentials entered: request with credentials
- if anonymous mode: anonymous request
- if 200: ok
- if new datasource config option to require authentication and 401: show auth popup ("Unauthorized: please enter a valid username and password")
Even if some datasources are hosted by the same org and could have the same credentials, we segregate sessions by datasource ids.
Example web service (see "ISTAT-DMM-demo" in DLM2): https://istat-dmm-demo.siscc.org/NSI_WS/rest/dataflow/OECD/AIR_EMISSIONS_TEST/1.0