I am doing the Authentication module in Building Web Servers (module 4.2), and it’s confusing.  Do I understand it correctly that when the browser initiates a conversation with the server, and it is confirmed by the ESP that “!request ->authenticate” (i.e. no authenticate request was sent by the browser), then the ESP server will send the requestAuthentication(), along with the files?  Is this request interpreted by the browser as “bring up the login page”?

As a related question, the explanation in the eBook talks about the logout process, and even has a function labeled logoutButton — but there is no button in the webpage like that…. surprisingly, the concept of logon seems to be missing.  Mention is made of the logged_out.html, but what triggers this?  Can this be clarified?  Thanks !

Hi.
Yes to your first question.
 
As for the logout. There isn’t a button, there is an icon to logout, see the following tag:

<h1>ESP WEB SERVER &nbsp;&nbsp; <i class="fas fa-user-slash
icon-pointer" onclick="logoutButton()"></i></span></h1>

 
When you click on that fontawesome icon (fas fa-user-slash-icon-pointer), it calls the logoutButton() function that is on the javascript file.
The logoutButton() function makes a request on the /logout URL. The ESP sends back the logout page.

xhr.open("GET", "/logout", true);

After a second, it makes a request on the /logged-out URL which is what actually logs out the user.

setTimeout(function(){ window.open("/logged-out","_self"); },

Maybe this is a bit confusing. Let me know if it is more clear now or if you need some more clarification.
 
Regards,
Sara

Hi Sara … still a little confusing. Focusing on the 2 AsyncWeb statements: server.on(“/”…) and server.serveStatic(“/”…) ….. if the authentication parts are left off, this is a normal conversation: the browser pokes the server with a “/” and the server responds with both of these 2 functions. When the authentication stuff to both these functions is added, which is it that triggers the input form: the server.serveStatic()’s .setAuthentication or the fact that request->authenticate in the server.on() function is now checking for additional info from the browser and doesn’t find it (prompting it to send out the requestAuthentication).  I wish there were a better definition of this sequence of event, but I haven’t found any website I can read. Even the github site is a bit thin.  Finally, an additional question: according to what I read, when the server sends a 401 signal, that should prompt for a login … but it’s being sent on /logout …. uggh.   Thanks for any further clarification.

Hi again.
 

The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.

So, after sending that 401, the user can no longer access the web page files until it logs in again. So, it is the same as logging out the user. We want this to happen when the user clicks on the logout icon, that will trigger the /logout request.
 
I guess that are different ways to do this. I’m not sure what is the best method.
 
Regards,
Sara

Thanks for that 401 clarification -, I’m still puzzled about who initiates the authentication window popup:  1) the server.serveStatic()’s .setAuthentication or 2) the fact that the server.on(‘/”…) is specifying that there be a request->authenticate.  Thanks for you patience with me !  (useful to know in case there is no serveStatic() )

Hi again.
It’s the following line (option 2) if you’re accessing the web server on the root URL:
return request->requestAuthentication();
Regards,
Sara

Thanks Sara … you’ve been a great help.  You can close this issue.

Ok.
If you need further help, you just need to open a new question in our forum.
Regards,
Sara