Pages: 1

#1 2016-02-10 16:39:36

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Implement custom Auth without sessions

I'm trying to implement a custom authentication (based on the JWT standard http://jwt.io/) and looking at the mORMot code I think it's not possible to implement it without "touching" the mORMot sessions, which I will not have.

So far what I was able to do was:

- Create my custom authentication method
- Register it and set BypassAuthentication = true on the service
- The client calls this auth method first to get a token, then send this token on every request
- Then I override TSQLRestRoutingREST.Authenticate method to validate the token

It works, but it doesn't feel "right".

Also I can't call my interface IAuth because it conflicts with the one that mORMot registers. Looking at the code, it is implemented by TSQLRestServer.Auth (which is not virtual) and call the TSQLRestServerAuthentication.Auth which relies on session.

It would be nice if I could override TSQLRestServer.Auth or if there was a base class (simpler than TSQLRestServerAuthentication) which didn't rely on sessions that I could use to implement this kind of Auth without overriding a lot of stuff.

Does it make sense?

Last edited by fabioxgn (2016-02-10 16:39:52)

Offline

#2 2016-02-11 09:17:42

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,232
Website

Re: Implement custom Auth without sessions

Why not use the TSQLRestServer.OnBeforeURI event?

It intercept all TSQLRestServer.URI process, so you may able to make your own authentication directly, without using the sessions.

Offline

Pages: 1

Board footer

Powered by FluxBB