Problem/Motivation
Currently, the only way to add authentication to a REST View is through RouteSubscriberBase->alterRoutes().
We could add the Authentication setting to REST Views so users could select the supported authentication methods for a particular Views display. It would look like the following screenshot:
The above view lists unpublished content in JSON format. Authentication has been set to Basic Auth, so requests to http://mysite.com/unpublished-content will require HTTP Basic authentication headers provided with a valid username and password. Note that Access has been set to Authenticated User role, since the default access requirement is "Access content", which is part of the Anonymous role. Alternatively, we could also set a permission that belongs to the Authenticated User role. I am not sure about how to make this more obvious to the site builder.
How to test
- Install Drupal and enable Rest, Hal, Basic Auth
- Add a Rest export display on /node
- Generate some frontpage nodes
curl --request GET http://drupal.d8/node?_format=hal_jsoncurl --request GET http://admin:admin@drupal.d8/node?_format=hal_jsongives access denied- Apply the patch
- Set basic auth as Authentication methods for the Rest Export display
curl --request GET http://admin:admin@drupal.d8/node?_format=hal_jsongives result.
Proposed resolution
Remaining tasks
Revert AuthenticationManager ::getSortedProviders to private once #2490228: Add Authentication Collector lands.