Allow DLM using SDMX-RI authentication to connect to external NSI web service
As Fadhila,
I want in the DLM to be able to authenticate to external data spaces using basic HTTP authentication,
So that I can securely retrieve structures and data from external instances of the ISTAT toolkit or of SDMX-RI.
Requirements
Implement a mechanism to connect from DLM to specific external NSI web services using the native NSI authentication mechanism (implemented by Eurostat and used by ISTAT) based on HTTP basic access authentication (BA). The DLM user should be able to enter the required credentials in the DLM GUI per external data space that is configured to require BA (through a new config option in datasources.json). Note that authentication is an option but might not be required by that service because anonymous users could be allowed to see the fully public data.
Because the BA field has to be sent in the header of each HTTP request for that data space, the web browser needs to cache the credentials for the current session to avoid constantly prompting the user for their username and password.
The credentials (username, password) should be requested to be entered by the user in a simple popup dialog on the first usage of that data space within the session. The data space should be mentioned in the popup, e.g. with title "Login to [space]", where [space] is being visually coloured as usual.
Whenever the user name or password fields are not filled (e.g. at first usage), the "Connect anonymously instead" checkbox is automatically checked. Whenever the user enters a user name or a password then the checkbox is automatically unchecked. If the user checks again the checkbox then the username and password field are cleared.
The user should be able to cancel the popup dialog at any time, which will result in not executing the underlying NSI request and in cancelling the related user action.
Once the "Login" button is clicked, whether with credentials or anonymous, it needs to be checked if the NSI call is unsuccessful due to incorrect credentials (unauthenticated request), which can be done through checking that the NSI returned a HTTP 401 error (Unauthorized). In this case, the credential dialog reappears and states "Unauthorized: please enter a valid username and password".
The credential popup should be made in a way that allows standard web browsers to automatically store and manage the credentials in the browser's inbuilt password manager.
All mentioned labels are to be localised.
Technical analysis results:
- we are using axios lib which support Basic Auth feature
- the response to the connection request should return the auth credentials
- we will store in the localStorage the session with the auth credentials, the username, the password and the datasource id
- not for internal which will use the Bearer token of keycloak
if a specific external datasource replies 401 or if the config option is set for that space, a popup is shown to handle basic auth.
it means that the request api needs to be updated to support this new behaviour if external:
- check localStorage
- if not external: normal/current flow (ignore all following steps)
- if external and if new datasource config option to require authentication: show auth popup ("Please enter a username and password")
- if credentials entered: request with credentials
- if anonymous mode: anonymous request
- if popup cancelled: SDMX request not done (artefacts list not filled for that data space)
- if external and if not new datasource config option to require authentication: anonymous request
- if external and 200: ok
- if external and 401: show auth popup ("Unauthorized: please enter a valid username and password")
Even if some datasources are hosted by the same org and could have the same credentials, we segregate sessions by datasource ids.
Example web service (see "ISTAT-DMM-demo" in DLM2): https://istat-dmm-demo.siscc.org/NSI_WS/rest/dataflow/OECD/AIR_EMISSIONS_TEST/1.0