mORMot Open Source

I'm implementing JWT authentication in my project, and previously I was using a third party JWT library and storing the token on a cookie so it was transparent on the client side as the cookie was sent on every request.

Now I've replaced the JWT implementation on the server side and everything is OK.

But I can't figure out how to send the token back to the server after I get it on the client side, right now what I have is:

- Client sends login/password to server
- Server authenticates and returns the token (string)

This is working just fine, but on the client I need to read the token payload, so what I did was something like this:

FToken := LoginService.Login(AUserName, APassword);

if TJWTAbstract.VerifyPayload(FToken, '', 'Monde', '') <> jwtValid then
    raise EValidationError.Create('Invalid Token.');

Token := TJWTHS256.Create('', 0, [], []);
try
  Token.Verify(FToken, JWT); // Is this the only way to read the payload values? 

  UserID := JWT.data.S['uid'];
finally
  Token.free;
end;

Is this the correct way to read the token's payload on the client side?

Now, how do I send the token on the Header now so the server can authenticate the client?

I was using an old version of mORMot and had 2 methods wich returned a TServiceCustomAnswer (for performance purposes, as they return a lot of data), now I've updated mORMot and the behavior changed for these methods.

When I return a Integer for example in an interface based method service, if something goes wrong on the server, an exception is raised on the client side.

I have a lot of handling for these exceptions, like handling disconnects, proxy errors, expired token, etc.

And now the 2 methodos which returns TServiceCustomAnswer doesn't raise exceptions anymore and I'll have to handle it differently from the other methods.

I agree that raising exceptions isn't REST friendly, but having 2 different behaviours based on the method return is very confusing (took me some time to figure it out) and in my case will result in some duplicated code to handle errors differently in these methods.

Is there some way to maintain the old behavior for theses methods?

I'm implementing an interface based service and would like to run each request in a database transaction.

My first attempt was to use an interceptor, it worked, something like this:

procedure TRESTServer.TransactionInterceptor(Sender: TServiceMethodExecute; Step: TServiceMethodExecuteEventStep);
begin
  case Step of
    smsBefore: BeginTransaction;
    smsAfter: Commit;
    smsError: Rollback;
  end;
end;

The problem is that if the client timesout and is not able to process the result, the `smsAfter` is executed and the transaction is commited.

From what I've noticed in the code, when the timeout occurs the exception is handled in this code:

on E: Exception do
            // handle any exception raised during process: show must go on!
            if not E.InheritsFrom(EHttpApiServer) or // ensure still connected
               (EHttpApiServer(E).LastError<>HTTPAPI_ERROR_NONEXISTENTCONNECTION) then
              SendError(STATUS_SERVERERROR,E.Message,E);

The problem is that in the case of client disconnect, it just ignores the error and I can't rollback the transaction.

Is it possible to do this somehow?

I'm trying to make a method which will redirect, and the result status and headers are overriden after checking if the Answer is TServiceCustomAnswer.

My method just returns a string (also tested with a procedure) and I'm redirecting using the following code:

CurrentServiceContext.Request.Redirect(URL);

But in this point, the Status code and OutHead are overriden:

        if exec.ExecuteJson([instancePtr],Ctxt.ServiceParameters,WR,Ctxt.ForceServiceResultAsJSONObject) then begin
          Ctxt.Call.OutHead := exec.ServiceCustomAnswerHead;
          Ctxt.Call.OutStatus := exec.ServiceCustomAnswerStatus;
        end else begin

At this point Ctxt.Call.OutHead and Ctxt.Call.OutStatus are correct but it gets set to empty string as the ServiceCustomAnswer stuff is blank.

Also, it would be nice to specify the HTTP Status code in the Redirect method, instead of Permanent True/False, I'd like to use 302 (Found).

Is this a bug or am I doing something wrong?

I'm forwarding the logs to papertrail and there are some sensitive information on environment variables.

By default mORMot is logging all env vars, is there a coniguration to disable it?

I'm trying to implement a custom authentication (based on the JWT standard http://jwt.io/) and looking at the mORMot code I think it's not possible to implement it without "touching" the mORMot sessions, which I will not have.

So far what I was able to do was:

- Create my custom authentication method
- Register it and set BypassAuthentication = true on the service
- The client calls this auth method first to get a token, then send this token on every request
- Then I override TSQLRestRoutingREST.Authenticate method to validate the token

It works, but it doesn't feel "right".

Also I can't call my interface IAuth because it conflicts with the one that mORMot registers. Looking at the code, it is implemented by TSQLRestServer.Auth (which is not virtual) and call the TSQLRestServerAuthentication.Auth which relies on session.

It would be nice if I could override TSQLRestServer.Auth or if there was a base class (simpler than TSQLRestServerAuthentication) which didn't rely on sessions that I could use to implement this kind of Auth without overriding a lot of stuff.

Does it make sense?

I'm trying to implement a stateless authetication, which by stateless I mean: no in memory session and nothing on server (apart from the first authentication) and I'd like to know if there is already something like this implemented.

What I need is a flow like this:

- User calls the login method
- Server auth him using the database
- Saves his ID and some other info in a cookie
- Then create a HMAC "hash" using a secret key + the data on the cookie and save this in the cookie
- After this, every other request he will send this cookie and the server will recompute the data in the cookie to match the "hash"

This is something like amazon does with pre-authenticated URLs, but I'm storing in a cookie.

Is there something like this already implemented in mORMot?

AFIAK all the authentication methods saves the session on server, so with a load balancer mixing requests between nodes the user would have to authenticate in all nodes, which I want to avoid.

I'm migrating a project from datasnap to mORMot and we override some datasnap funcionallity, but keeping it short, I'm overriding the GetRecords of the dataset on client and server side.

In my first implementation I was returning TBytes from the server, but I noticed that it was a little slow and was consuming a lot of time to marshall the JSON, then I did some tests and tried 2 new things:

1: return TServiceCustomAnswer, but I have a var parameter. So I'd have to write a custom "packet" to return it alongside the data.
2: return RawByteString instead of TBytes, noticed a big improvement on the content length maybe because of better compression.

Here is a sample code of what I'm doing right now (with RawByteString):

function TRESTServerMethods.GetRecords(const ProviderName: string; const Count: Integer; var RecsOut: Integer; const
    Options: Integer; const CommandText: string; const Params: TArray<TArray<Variant>>; const Where: string):
    RawByteString;
begin
    Buffer := VariantArrayToBytes(Provider.GetRecords(Count, RecsOut, Options, CommandText, OleParams, OwnerData));
    SetString(Result, PAnsiChar(Buffer), Length(Buffer));
end;

Also I noticed (using manual testing, did no benchmark) that between TServiceCustomAnswer and JSON with RawByteString there is no to little improvement, but from TBytes to RawByteString there's a big improvement, mainly in content length.

Here's a comparison:

TBytes:
Total time: 350ms
Length: 4211661
Server time: 246.371

RawByteString
Total time: 260ms
Length: 2197186
Server time: 227.480

Total time is measured on the Client Side running locally, it is the total time to open the dataset with 5K+ records. Server time is what mORMot prints on the log for the request.

Notice that the content length using RawByteString é almost 50% of TBytes.

So, my question is:

Is this the fastest way to return this kind of data? Any suggestions?

Is it possible?

I've implemented a callback method using TSQLHttpServer and Websockets but as I can tell from my tests and the code, the TSQLHttpClientWebsockets uses a TCrtSocket derived class which does not allow proxy configuration.

I tried to set the proxy in WinHTTP using

netsh winhttp import proxy source=ie

but this class is not using it.

Can I use a proxy server with the TSQLHttpClientWebsockets class?

I'm trying to implement a websockets only notification server which will only receive new notifications and broadcast to all connected clients. I'm using the chat sample code as example: https://github.com/synopse/mORMot/blob/ … er.dpr#L55

But I'm not sure how to implement security on it, I tested with the example code and I can access the methods using http, ex: if I make a GET request on http://localhost:8888/root/NotificationService.Notify it returns result: [].

I was able to add http authentication with:

TSQLRestServerFullMemory.CreateWithOwnedAuthenticatedModel([], 'user', TSQLAuthUser.ComputeHashedPassword('pass'));

But can I run the websocket and https together? As using this method the username and hashed password are exposed on the URL.

What I'd like to do is allow websocket only connection to authenticated clients only (the clients will be all Delphi applications, both the application which notifies and the clients).

Which is the recommended way to implement that?