Issue with SetUser after introducing Modular Crypt

flydev · 2025-09-26 19:49:35

Hi @ab, I have an issue with TRestHttpClient.SetUser which is not working starting on this specific commit, and tested yet only on Delphi 12.3

65e4597 - rest: make server nonce unique per connection/client - our authentication scheme is now as secure as SCRAM could be, and even more since we feature strong "Modular Crypt" hashes like BCrypt or SCrypt - still compatible with old mORMot 1 clients

What happen:

- It work using direct connection to server host (localhost, 192.168.*)
- it doesn't work behind NGINX on 80/http and 443/https

I havn't debugged yet as you might have an answer.

On the test program shown below, the client is a simple TRestHttpClient.SetUser and compiled on commit a919746 from july, 29. I get the same result compiling both server and client on commit 65e4597 or newer. I have saved logs just in case.

Client on left side get HTTP 200, on right side the client get a HTTP 403 return code.

Last edited by flydev (2025-09-26 19:50:15)

flydev · 2025-09-29 09:43:03

Is it just me, or am I the only one running into this issue?

ab · 2025-09-29 12:44:13

I don't understand why there should be any difference behind nginx/https.

Take a look at the logs to debug a little bit and find out what happens in the mormot server behind nginx.
Check your nginx configuration, and the fact that the /auth URI should be passed to mormot with its parameters.

flydev · 2025-09-29 14:17:26

I will look at it, the nginx config was kept minimal with a simple proxy_pass for testing. The demo program return both 200 OK (direct and nginx) if the server is compiled on last commit before 65e4597. Once I compile the server starting on commit 65e4597, then it fail on nginx only..

I will try again with a minimal server and report it here.

Last edited by flydev (2025-09-29 14:19:06)

ab · 2025-09-29 18:47:26

Now I think I understand the issue.

This commit added an additional safety, by using a nonce per connection.
But behind nginx, Ctxt.Call^.LowLevelConnectionID may not be used.

You could either

1) set the rsoSharedNonce option to TRestServer,

or

2) properly configure the ConnectionID header for nginx:
a) set in your code: THttpServerGeneric.RemoteConnIDHeader='X-Conn-ID'
b) set in nginx config: proxy_set_header X-Conn-ID $connection

Proper nginx configuration is the following:

proxy_set_header        Host            $host;                       
proxy_set_header        X-Real-IP       $remote_addr;                
proxy_set_header        X-Conn-ID       $connection

Edit:
To avoid such issue, I may just invert the logic, and use a new explicit rsoPerConnectionNonce so disable this new feature by default.
https://github.com/synopse/mORMot2/commit/1fcc7f0e7
Now it should work with no problem and no needed more configuration.
Sorry for the confusion.

flydev · 2025-09-29 18:52:44

Ah! I checked the nginx configuration, the X-Conn-ID header is the only one missing - I didn't paid attention. Thanks you, I will test tomorrow.

ab · 2025-09-29 18:58:09

I have added https://github.com/synopse/mORMot2/commit/1fcc7f0e7
so maybe it would work out of the box directly without changing the option.

If you set the X-Conn-ID header, you could enable this new rsoPerConnectionNonce option, for safety.
But it is not mandatory.

flydev · 2025-09-30 10:06:08

Hi @ab, I did some testing - Delphi 12.3 and FPC - and then:

- without rsoPerConnectionNone, client auth is fine (this was failing).
- enabling rsoPerConnectionNone, client fail at CheckPassoword()

fServer.fOptions:

[rsoNoInternalState,rsoNoTableURI,rsoMethodUnderscoreAsSlashUri,rsoPerConnectionNonce]

srvr       mormot.rest.server.TRestServerRoutingRest(0334c340)   Method GET root/auth?username=Admin=200 out=77 B in 3.09s
ret         ServerApiHost.TAppServer(033e9f40) Method len=77 {"result":"bd1a5ead8e255448fd09484e56e33a66ea8cefc3f6d3804735cb6cf7a46881c0"}
[debug] GET /root/auth?username=Admin&password=e23f6a5756da303c6b36de49077cb51d6828768a2763b0b82678122deba05ac8&clientnonce=58671B01_0fb7691644db0de2e1bd776ed8466eb2
[BeforeBody][aInHeaders]: 
  - X-Real-IP: 127.0.0.1
  - X-Forwarded-For: 127.0.0.1
  - X-Forwarded-Proto: https
  - X-Conn-ID: 17
  - Accept: */*

ab · 2025-09-30 10:22:33

If you enable rsoPerConnectionNonce, you need to
1) set the header at nginx level - seems done
2) set THttpServerGeneric.RemoteConnIDHeader := 'X-Conn-ID' at mormot server side - is it done?

flydev · 2025-09-30 10:42:03

Indeed, I forgot this one

It's working as expected

ab · 2025-09-30 18:42:51

I tried to make it more explicit in the documentation:
https://github.com/synopse/mORMot2/commit/d8d29e033

mORMot Open Source

#1 2025-09-26 19:49:35

Issue with SetUser after introducing Modular Crypt

#2 2025-09-29 09:43:03

Re: Issue with SetUser after introducing Modular Crypt

#3 2025-09-29 12:44:13

Re: Issue with SetUser after introducing Modular Crypt

#4 2025-09-29 14:17:26

Re: Issue with SetUser after introducing Modular Crypt

#5 2025-09-29 18:47:26

Re: Issue with SetUser after introducing Modular Crypt

#6 2025-09-29 18:52:44

Re: Issue with SetUser after introducing Modular Crypt

#7 2025-09-29 18:58:09

Re: Issue with SetUser after introducing Modular Crypt

#8 2025-09-30 10:06:08

Re: Issue with SetUser after introducing Modular Crypt

#9 2025-09-30 10:22:33

Re: Issue with SetUser after introducing Modular Crypt

#10 2025-09-30 10:42:03

Re: Issue with SetUser after introducing Modular Crypt

#11 2025-09-30 18:42:51

Re: Issue with SetUser after introducing Modular Crypt

Board footer