#1 mORMot 2 » Unique Key User Authentication » 2024-10-29 14:05:52

claudneysessa
Replies: 1

Good morning,

I would like to start by saying that I have been using MORMOT for several years, and the tool is fantastic, but until now I was using it for internal communication, which could be used at a higher technical level. However, due to recent demands, I need to make the generated API available to third parties and at this point I came across some questions regarding the complexity of the connection.

Today, to open a connection, I use ClientNonce and SessionSignature. After authentication, I can work normally. However, to make this available to third parties, I need a simpler way that can be supported by, for example, BI tools where I have a unique key or a JWT to start the session without using ClientNonce and SessionSignature, a unique key.

Would this be possible?

#2 mORMot 1 » Publishing Methods to Swagger » 2023-04-05 20:23:14

claudneysessa
Replies: 1

Hello,

I'm trying to implement the documentation of an API with SWAGGER together with MORMOT here, and I have a small doubt that I couldn't find in the documentation.

I saw that for it to be published, the methods must be made with an interface, so far so good, but I need to show specific methods in this documentation and hide some, can anyone help me with an explanation of how I could do this?

I used Example27 which does this type of implementation but I couldn't figure out how to publish just some methods and hide the others.... Here he presented all the methods I did and a few more that I believe are internal API code

#3 Re: mORMot 1 » WEB authentication using MORMOT » 2023-04-04 12:26:35

Unfortunately after a lot of struggle I couldn't make it work using the MORMOT authentication method, I ended up overwriting some classes with helpers and I managed to speed up my life here but I was sad because I wanted to use it in the standard way but I don't have much time to do it.

Some points that could improve in the documentation:

  • Explain better how to compose that 3-valued key.

  • Being able to pass the session_signature through the header.

  • Being able to choose the name of the authentication TAG.

About the encoded key as 3 hexadecimal 32-bit cardinals this is Very confusing and little explained, for those who consume in delphi it is a wonder, but thinking about the API it is very difficult to reach a satisfactory result

And, in relation to being able to change the name of the authentication parameter, it would be nice to be able to use, for example, authentication instead of session_signature and be able to pass it through the header today MORMOT is stuck with this being informed in the URL.

#4 Re: mORMot 1 » WEB authentication using MORMOT » 2023-04-03 14:52:37

good morning,

I apologize, I don't think I expressed myself correctly, but it's a little annoying to spend hours reading a manual, follow all the steps without leaving any out, have a question, ask and receive a response of "Read the documentation" , that is, I just read it, implemented it and it didn't work maybe something is missing in the documentation to help...

I'm testing on:
  - Java
    - Using Http Client
  - dart
    - Using Http Client
  - Delphi (pascal object)
    - Using RESTClient

I think this is transparent because if I'm using standard HTTP requests this should work the same regardless of the language I'm working with...

I'm having problems with the session_signature... I even tried to implement something with helpers to see if it would solve it.

That's why I made the previous post with all the data I generated to see if I'm doing something wrong, apparently all coding is correct... but in a piece of code it gives an error

In this place:

function TSQLRestServerAuthenticationSignedURI.RetrieveSession(
   Ctxt: TSQLRestServerURIContext): TAuthSession;
var aTimestamp, aSignature, aMinimalTimestamp, aExpectedSignature: cardinal;
     PTimestamp: PAnsiChar;
     aURLlength: Integer;
begin
   result := inherited RetrieveSession(Ctxt);
   if result=nil then
     exit; // no valid session ID in session_signature
   if Ctxt.URISessionSignaturePos+(18+8+8+8)>length(Ctxt.Call^.url) then begin
     result := nil;
     exit;
   end;
   aURLlength := Ctxt.URISessionSignaturePos-1;
   PTimestamp := @Ctxt.Call^.url[aURLLength+(20+8)]; // points to Hexa8(Timestamp)
   aMinimalTimestamp := result.fLastTimestamp-fTimestampCoherencyTicks;
   if HexDisplayToCardinal(PTimestamp,aTimestamp) and
      (fNoTimestampCoherencyCheck or (integer(aMinimalTimestamp)<0) or // <0 just after login
       (aTimestamp>=aMinimalTimestamp)) then begin
     aExpectedSignature := fComputeSignature(result.fPrivateSaltHash,PTimestamp,
       pointer(Ctxt.Call^.url),aURLlength); <<<<<< ============================ !!! HERE !!!
     if HexDisplayToCardinal(PTimestamp+8,aSignature) and
        (aSignature=aExpectedSignature) then begin <<<<<< ====================== !!! HERE !!!
       if aTimestamp>result.fLastTimestamp then
         result.fLastTimestamp := aTimestamp;
       exit;
     end else begin
       {$ifdef WITHLOG}
       Ctxt.Log.Log(sllUserAuth,'Invalid Signature: expected %, got %',
         [Int64(aExpectedSignature),Int64(aSignature)],self);
       {$endif}
     end;
   end else begin
     {$ifdef WITHLOG}
     Ctxt.Log.Log(sllUserAuth,'Invalid Timestamp: expected >=%, got %',
       [aMinimalTimestamp,Int64(aTimestamp)],self);
     {$endif}
   end;
   result := nil; // indicates invalid signature
end;

I already tested several libraries to generate the hash and the CRC32, apparently they are being generated correctly but it always hangs in this piece of code that I informed.

I am not managing to evolve because apparently I followed without fail what is written in the documentation but the authentication is always rejected...


.
.
.

In this example it is not clear how I do this validation because I don't know for sure how the Timestamp thing works, I identified that there is a url on the server that gives me a timestamp but even with it I can't get a result that works


In order to enhance security, the session_signature parameter will contain, encoded as 3 hexadecimal 32-bit cardinals:

The Session ID (to retrieve the private key used for the signature);
A Client Time Stamp (in 256 ms resolution) which must be greater or equal than the previous time stamp received;
The URI signature, using the session private key, the user hashed password, and the supplied Client Time Stamp as source for its crc32 hashing algorithm.
Such a classical 3 points signature will avoid most man-in-the-middle (MITM) or re-play attacks.

Here is typical signature to access the root URL

root?session_signature=0000004C000F6BE365D8D454
In this case, 0000004C is the Session ID, 000F6BE3 is the client time stamp (aka nonce), and 65D8D454 is the signature, computed by the following Delphi expression:

(crc32(crc32(fPrivateSaltHash,PTimestamp,8),pointer(aURL),aURLlength)=aSignature);
For instance, a RESTful GET of the TSQLRecordPeople table with RowID=6 will have the following URI:

root/People/6?session_signature=0000004C000F6DD02E24541C

#5 Re: mORMot 1 » WEB authentication using MORMOT » 2023-03-30 15:36:01

Look, to be honest I expected a little more from a support FORUM for such a cool tool.

If I demonstrated the step by step and with examples of what I generated there in my POST it means that I read the manual and implemented it but I am having difficulties. Common thing because MORMOT is a very complex tool and with many details.

Well, I can't count on SUPPORT I'll follow and try to solve it my way, but here's my frustration because the manual talks very vaguely about the subject, some may have this power of abstraction to solve others, they don't.

A little empathy is lacking in wanting to help others.

Without further ado and thank you for your attention.

#6 Re: mORMot 1 » WEB authentication using MORMOT » 2023-03-29 16:21:38

So my friend, I know I already looked at this documentation I've been trying for a few days and still haven't succeeded....
I've done this 1000x different ways but it doesn't give me a valid session_signature...
The last part for me was not clear...
"The URI signature, using the session private key, the user hashed password, and the supplied Client Time Stamp as source for its crc32 hashing algorithm."
I even found an example in java within the Mormot sources, could you make these steps a little clearer in the last part of the 3-factor code there?

I know that your time must be very busy, that you have to study, you have to research more I really am having a great difficulty in this part if you can at least give me a little help there to better understand the last part I thank you!

Just tell me where I'm going wrong and I'll do the rest


- - - - - - - - - - -
My Case
- - - - - - - - - - -

Urlbase: http://localhost:6666/
FuntionUrl: http://localhost:6666/root/Hello?session_signature=
UserName: SUPERVISOR
Passwrod: DBM

- - - - - - - - - - -
Step 1
- - - - - - - - - - -

Url Request 1:

http://localhost:6666/root/Auth?UserName=SUPERVISOR

clientNonce: 4a978da94aed4402310ce044f42d141fc9d79ea74fe5c067b5958a8fee7c1a3c

- - - - - - - - - - -
Step 2
- - - - - - - - - - -

Url Request 2: http://localhost:6666/root/Auth?UserName=SUPERVISOR&PassWord=DBM&ClientNonce=3f7b950a5f81731a0973fe12c8e48bf9c63c920b37cc585414cc4587bdf7aa12

sessionAuthentication:

{
    "result": "541010933+8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C",
    "logonid": -1,
    "logonname": "SUPERVISOR",
    "logondisplay": "SUPERVISOR",
    "logongroup": 3,
    "timeout": 60,
    "server": "SPAMME_V07001_R001",
    "version": "7.1.1.4"
}


// SessionKey = value of ["result"] on sessionAuthentication

sessionKey: 541010933+8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C

// sessionId = Copy of Digits on sessionKey before "+"

sessionId: 541010933

// privateKey = Copy of Digits on sessionKey after "+"

privateKey: 8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C

// sessionIdHexa8 = Hexa of sessionId Pad Left (8,0)

sessionIdHexa8: 203f2bf5

// passwordHexa = SHA256 of PassWord

passwordHexa: 588b7c1c3ddda23b3e89b452e767139d68432cdc5581b3dd360901e12efe2201

// sessionPrivateKey
// long r = CRC32.calculate(sessionKey, 0);
// sessionPrivateKey = CRC32.calculate(passwordHexa, r);

sessionPrivateKey: 725205751

- - - - - - - - - - -
Step 3
- - - - - - - - - - -

Date to Generate Nonce: 2023-03-29 15:52:34.600516
dateToTimeStamp256: 6562952
nonce (dateToTimeStamp256 em Hexa): 00642488
signature: 2896200956
signatureHexa: aca084fc

Right now my biggest question is:

When generating CRC32, what do I use as a url?

I use the value [ http://localhost:6666/root/Hello ] ?
I use the value [ root/Hello ] ?
I use the value [ http://localhost:6666/root/Hello? ] ?
I use the value [ root/Hello? ] ?

sessionSignature: 203f2bf500642488aca084fc
sessionSignaturePrint: 203f2bf5-00642488-aca084fc

- - -

Url Request 3 :

http://localhost:6666/root/Hello?session_signature=203f2be900642479ba5015c6

{errorCode: 403, errorText: Authentication Failed: Invalid signature (0)}



I'm asking for help because I've tried everything exactly as stated in the manual, in the doc on the forums... And I can't find the problem

#7 mORMot 1 » WEB authentication using MORMOT » 2023-03-28 23:40:46

claudneysessa
Replies: 10

Hello, I'm trying to do a WEB authentication on a server created with MORMOT, and I'm having difficulties

I make a request

http://localhost:6666/root/Auth?UserName=SUPERVISOR

it returns me a code

{
     "result": "0640eb9fbf61b4e47650154f0cfd088096e0544d7875e3d3d2835a89cb563102"
}

right after i make a second request

http://localhost:6666/root/Auth?UserName=SUPERVISOR&PassWord=123&ClientNonce=0640eb9fbf61b4e47650154f0cfd088096e0544d7875e3d3d2835a89cb563102

And I have the return

{
     "result": "1065542664+693AB24B2FE8F63B45963FB89A030CE4B188D8E1FB296DDB93B9B334EA0F446B",
     "loginid": -1,
     "logonname": "SUPERVISOR",
     "logondisplay": "SUPERVISOR",
     "logongroup": 3,
     "timeout": 60,
     "server": "SPAMME_V07001_R001",
     "version": "7.1.1.4"
}

Now I need to consume a test call
http://localhost:6666/root/Hello?session_signature=

and it asks me for this "session_signature", how is this value generated?

I already tried with the return of the previous call "1065542664+693AB24B2FE8F63B45963FB89A030CE4B188D8E1FB296DDB93B9B334EA0F446B" but it returns an error

{
     "errorCode": 403,
     "errorText": "Authentication Failed: Invalid signature (0)"
}

Board footer

Powered by FluxBB