You are not logged in.
Okay, I have the following working on Elevate Web Builder
- GETting a full list of all elements, or one element by ID
- DELETing elements by ID
- POST/PUT and getting back the location for new elements
all done through REST+JSON
What I don't understand is how to search by a criteria other than the ID.
Eg.TPerson has a Name and ID. I can search by ID, but I want to know the search query to select NAME='Erick'? I don't see that in the REST samples.
Erick
Offline
Section 21 in the documentation talks about a few methods of storing credentials.
You might want to look at JWT.
The concept is this: you authenticate once the usual ways, then return the userid + other needed
session fields to the client in a JWT token. But the token is a signed JSON string. When the JWT
is submitted again in the future, you onlyneed to verify the HASH is valid - if the hash computes, then
the user is properly returning the session information.
Unlike cookies, JWT is stateless.
see JWT.IO for details including Delphi libraries.
JWT is portable technology and libraries exist for many languages.
Erick
Offline
AFAIR JWT token is not safe from MIM attacks.
True, unless it is used with OAuth 2, then it is safe.
Erick
Offline
No, OAuth 2 suffers from the same unsafety pattern to MIM attacks: the very same token is reuse for all requests.
See what one of the OAuth 2 authors wrote:
https://hueniverse.com/2012/07/26/oauth … d-to-hell/
All those protocols do rely on HTTPS encryption for safe authentication and authorization.
Which is a true concern, since HTTPS is just as secure as the certificates chain installed on the computer, which could be compromised.
HTTPS/TLS is exactly as strong as the weakest CA...
See http://www.antionline.com/showthread.ph … s-0Day-PoC
and http://resources.infosecinstitute.com/c … tificates/
Online
JWT are just as much vulnerable to MITM attacks as any other authentication scheme and OAuth has nothing to do with it. However solutions do exists, like using HTTPS only cookies (HttpOnly; Secure). You should also consider prevention of CSRF attacks and replay attacks. For CSRF you may consider using another cookie (domain cookie, accessible from JavaScript and send it alongside request). For replay attacks prevention you can use exp and iat claims of JWT. There is also jti claim (unique JWT ID) which can be used for example to blacklist used tokens.
If this information is too condensed I can try to elaborate a little
Offline
The easiest to mitigate MIM attacks here is to sign each URI individually, and never transmit the token directly, as both JWT and OAuth2 do.
And it has the benefit of being HTTP-free, i.e. not tied to the availability of HTTP headers, which is not part of REST itself.
This is e.g. what we do with mORMot auth.
See http://broadcast.oreilly.com/2009/12/pr … ation.html
Online
Thanks for the reply on OAuth. I read it briefly and will study it in detail later, as a lot of things I do rely on it.
Erick
Offline
My Mormot/EWB interfacing code will probably be hosted on Elevate's public web space
in the coming weeks after I have it more finalized. I'm still rejigging major parts to
match the specifics of Mormot and the latest EWB Beta 2.05.
It will be a free library. Documentation for it and EWB in general will be in my updated
book which will be released probably by September.
Offline
I'm trying to figure out the protocol. What I think it is goes like this.
Have I got it right?
Login
------
Send: GET //host/root/Auth?UserName=clientname
returns
{ result : servernonce}
GET //host/root/Auth?UserName=clientname&Password=xxxxxxxxxxxxxxxx
where xxxxxxxxxxxxxxx = sha256hash( 'root' + servernonce + clientnonce
+ clientname + passwordhashhexa )
and passwordhashexa = sha256hash( "salt" + password )
Where "salt" is actually the word: salt
Logout
GET //host/root/Auth?UserName=clientname&session=n
Signing Typical Message
...&session_signature=xxxxxxxxyyyyyyyyzzzzzzzzzzzzzzzz
xxxxxxxx = session ID with leading zeros
yyyyyyyy = nonce
zzzzzzzzzzzzzzzz = crc32( url + crc32( nonce + sessionprivatekey))
I don't think I have it right. Please help.
Thanks
Erick
Offline
Everything is explained in the doc.
See http://synopse.info/files/html/Synopse% … ml#TITL_98
And the cross-platform client source code is certainly easier to understand than the main mORMot.pas, which is more versatile, but also more difficult to follow.
Online
I found the source code easier to read than the page.
But the example from javascript
http://synopse.info/forum/viewtopic.php?id=490&p=2
shows hexpasswordhash=sha256( 'salt' + password )
where 'salt' is unexplained, so I think they mean the word said
which doesn't seem compatible with the documentation.
Offline
Indeed.
Here "salt" is used to avoid brute force attacks using dictionaries.
This is how the hashed password is expected to be computed, and stored.
Of course, there is an even better way in latest version of the framework (not yet supported by the cross-platform clients), which uses PBKDF2/HMAC with another custom salt instead.
This second paradigm is even much stronger than a fixed "salt".
See class function TSQLAuthUser.ComputeHashedPassword() in mORMot.pas.
Online
I think I got authentication working. Yea.
Now I'm on to the Calculator.add example.
The _contract_ is not documented as far as I can see. I tried a couple of things,
both with an empty JSON [] and no JSON. According to my browser the SMS
example sends an empty JSON. Anyways I get no info from the server to help me
debug it.
I've put the example up at http://dark.uwaterloo.ca/temp/sample3.zip
if anyone is willing to take a look. You just run the HTML file. You can see the
uploads/downloads in the browser's F12 mode.
Thanks for any info you can supply on what I'm doing wrong.
Thanks
Erick
Last edited by erick (2016-08-03 01:23:43)
Offline
The _contract_ is a hexadecimal string which is either (by default) computed on the server, or defined on the server with a customized value.
This is why the idea is to generate client wrapper codes, including the hexadecimal value from the mustache data context.
Online
Okay, my current problem is the session_signature value
>The URI signature, using the session private key, the user hashed password, and the supplied Client Time Stamp as source for its crc32 hashing algorithm.
...
>In this case, 0000004C is the Session ID, 000F6BE3 is the client time stamp (aka nonce), and 65D8D454 is the signature, computed by the following Delphi >expression:
(crc32(crc32(fPrivateSaltHash,PTimeStamp,8),pointer(aURL),aURLlength)=aSignature);
and PrivateSaltHash = sha1('salt'+password )
Where is the server-returned private key used in this formula, I don't see it. That's probably why my code isn't working
Also, is aURLLength in decimal or hex or 8 character hex?
Thanks
Offline
in contrast, the javascript samples compute
something like:
Tix := integer(now) div 256; // time in 256 ms incremeents
Nonce := IntToHex( Tix, 8 );
s := IntToHex( crc32(url + IntToHex(crc32(Nonce+authsessionPrivateKey),8)),8);
sign := IntToHex( authsessionID, 8) + nonce + s;
? or & session_signature= sign
But that 8x3 hex number doesn't work either. I get 404 error
Erick
Last edited by erick (2016-08-03 18:28:40)
Offline
in contrast, the javascript samples compute
something like:
> s := IntToHex( crc32(url + IntToHex(crc32(Nonce+authsessionPrivateKey),8)),8);
> sign := IntToHex( authsessionID, 8) + nonce + s;> ? or & session_signature= sign
For mormot.pas I see:
Call.url := Call.url+fSessionIDHexa8+nonce+CardinalToHex(
crc32(crc32(fSessionPrivateKey,Pointer(nonce),length(nonce)),
Pointer(blankURI),length(blankURI))
which I interpret as:
Tix := integer(now) div 256; // time in 256 ms incremeents
Nonce := IntToHex( Tix, 8 );
s := IntTOHex( crc32( authsessionprivatekey + nonce ),8);
s := IntToHex( crc32( s + url),8);
sign := IntToHex( authsessionID, 8) + nonce + s;
prf := '?';
if Pos('?',url) > 0 then prf := '&';
result := prf + 'session_signature=' + sign;
but I'm obviously wrong.
Offline
IMHO starting from SynCrossPlatformRest.pas may be easier to follow.
The doc has uppercase hex, but I'm assuming it's all lower case hex based on the server-supplied values.
E
Offline
You should use the crc32 seed parameter, not concatenate hexadecimal values...
Ahhh, that was my problem. Solved!
Question: I see the protocol creates a problem the client has a 1/4billion odds of solving for a Man-in-the-middle attack. What is to prevent the bad client from trying all 4 billion possibilities? Do you close the session or do an exponential back off, or blacklist, or what?
Thanks
Offline
Due to the network latency, such a number of 1/4 billion of requests won't be feasible in the time frame allowed by the signature nonce.
And most hosting providers would identify such DDOS requests at TCP/IP level.
See https://www.ovh.com/us/anti-ddos/anti-d … nciple.xml
Online
Erick,
In your book, do you have an SOA example between EWB and Mormot or a chat example like this:
http://matthew-jones.com/ewb-rosdk-getting-started/
Offline
Erick,
In your book, do you have an SOA example between EWB and Mormot or a chat example like this:
http://matthew-jones.com/ewb-rosdk-getting-started/
Hi DKA,
I have three examples, all use existing Mormot sample servers. I don't go into Momot server design.
The examples:
1. SOA REST example PUT/POST/GET/DELETE similar to typical Mormot calls
2. TDataSet-based calls, so you can use TGrid and other data-aware components
3. RPC server which also supports the Momot password cryptography, so you can call any
mormot RPC or other call. I based it on the ICalculator example
I presently have only a cell phone connection and can't upload samples at 3G speeds.
Erick
Offline
Sorry, I forgot to mention that the book is still being proofed, so it should be available for september.
Erick
Offline
Thanks Erick. Please Let us know when the proofed book will be available.
Offline
Thanks Erick. Please Let us know when the proofed book will be available.
Tim seems busy with issues of the new release of EWB, so it may take him some time to get to proofing the book.
We were hoping for early september.
Offline
@erick,
Can't wait to see the mORMot interface library you are writing for EWB.
PS, does the EWB Pascal-to-JS completion also produces source-maps (https://developers.google.com/web/tools … maps?hl=en)?
Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.
Offline
@edwinsn
1. With EWB, you can use any "outside" JS library, you have of course a component TScript. All the job is done in Object Pascal but if you want something fancy you have access to JS.
2. For EWB-mORMot relation you don't need an interface. From EWB app if you want data from mORMot you have 2 options:
a) TServerRequest send a query like this GET http(s)://server/Customers(5) , mormot responds a json with Customer with ID=5. Your logic from EWB parses the Json with help of TReader component and takes Name, Adress, FiscalCode, ... etc
So from server side-mORMot you can have:
a1) rest server with ORM enabled and a table called Customers or
a2) method based server with a method call Customers and you assembly the json for customer with ID=5; you choose.
b) EWB has a TDataset component, which is something like in-memory TClientDataset and has a method LoadRows. So, you have a in-memory TDataset with columns defined at design or runtime and you only ask for rows which will come from mORMot as json array. So you will have a mORMot method based server with only one method which assembly the response every time in the same JSON format - array of rows: ex for table Products:
{ "rows": [
{ "ProductID": "9V-BATTERY-12PK",
"Description": "12-pack of 9-volt batteries",
"ListPrice": 20, "Shipping": 2 },
{ "ProductID": "9V-BATTERY-4PK",
"Description": "4-pack of 9-volt batteries",
"ListPrice": 4.5, "Shipping": 1.5 },
{ "ProductID": "CALCULATOR-BUSINESS",
"Description": "Business calculator",
"ListPrice": 10, "Shipping": 1 }
] }
a) is the OO way, b) is some "tradional" Delphi way. (LoadRows of TDataset has inside a hidden TServerRequest).
Last edited by emk (2016-08-31 13:59:21)
Offline
@emk,
Thanks for the info! Anyways, Erick (I assume he is the developer of EWB?) said in this post that he is working on an mORMot client library for EWB, and I believe that'll be useful also.
Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.
Offline
Any shortcut is always welcome.
Tim Young is developer of EWB. He is the developer of also well known DBISAM.
Offline
Of course if you use variant a) (EWB + mORMot REST server), you can write a little code in EWB which automates marshalling from json GET http(s)://server/Customer(5) to instance of TCustomer (or from any json represented object to instance of that object). EWB knows RTTI.
So you can have your ORM on client side in EWB.
So, you can have something like this:
var
Customer: TCustomer;
begin
Customer :=TCustomer.Create;
try
GetFromServer(Customer, 5);
label1.Caption := Customer.Name;
label2.Caption := Customer.Adress;
finally
Customer.Free;
end;
end;
where GetFromServer is your procedure written by you which calls GET http(s)://server/Customer(5), takes the json and parses Name, Adress,..
Last edited by emk (2016-08-31 15:28:38)
Offline
Best idea should be to create the mustache wrappers working with EWB, to directly generate the client code from the server.
See http://synopse.info/files/html/Synopse% … #TITLE_471
Online
I'm happy to announce my Elevate Web Builder book (2nd edition) has been published on Amazon and includes
adding mORMot support to Elevate Web Builder, complete with samples using stock mormot servers.
You can download sample HTML/JS and the linking EWB source code at http://www.erickengelke.com
This means: End-to-End pascal as EWB compiles to HTML/JavaScript.
Elevate Web Builder (EWB) is a commercial toolkit similar in many ways to Smart Mobile Studio. I have licenses
for both, but I no longer use SMS. The pricing is similar for both products. I have no commercial interest in
EWB except royalties on my book, but I am a satisfied customer. I believe they have a trial edition available.
If you have any questions, I'll answer them here, or in Email: erickengelke@gmail.com
Offline
Offline
Thanks Erick.
The Horbs's link worked for me also and I just ordered mine ;-)
Offline
The Elevate Web Builder (EWB) book is available at Amazon: UK, EU and USA. 250 pages are advanced stuff, and 50 pages are introductory to EWB,
but it all assumes you have a good Delphi/FPC background. There is no introduction to Pascal or OOP or Forms.
I live in Canada, so I actually have to order it from the US store because it's not yet carried in my own country...yet. My other books are listed everywhere, I think they just have to have enough time/volume to be listed everywhere. This one was just released on the weekend.
- - -
My current project is a Mormot book, which I've been working on for over a year now. I'll share it with AB
to fact check as it nears completion.
Mormot is such a rich environment, I found no shortage of material, but the real challenge was finding a coherent way
to present it accurately.
The Mormot online FAQ is obviously the definitive source for information and will always be that, but I hope to shave
off a lot of the learning curve for new users, and present interesting solutions for existing users.
The book will likely be called Delphi Enterprise Databases Using mORMot and Elevate Web Builder. I
think they are a perfect fit (with a little help from me). For advanced users, using only SOA, I
show how to do Active Directory/RADIUS/LDAP based logins from the EWB web client. I am currently
working on OAuth2 logins too, but that isn't quite done.
I freqently mention FPC/NewPascal but don't get into the intricacies of FPC/NewPascal because I
consider them a point-in-time challenge best addressed in the FAQ.
mORMot brings compatibility, performance, reliability, scalability, etc. to the table. And it's a long term
solution because it's not tied to one vendor. EWB brings a universal client - both through
the web, and as my current EWB book (sorry I'm jumping around here) shows, you can generate
EXEs, OS/X bins, Android APKs, IOS binaries, Win Phone bins, etc. It's more portable than
FMX, but you can do most things FMX apps can (read bar scanner on your phone, use geolocation, etc.) when
compiled as a native EWB app.
The two give an end-to-end solution in Object Pascal and standards based technologies.
Oddly, I think my books also legitimize the topics for bosses who might be afraid of these technologies. They are
worried about long term investments in software which is only documented online, or where there is a
steep learning curve and silos of knowledge. With my books, a new employee can be brought up to
speed quickly, and best practices are shared coherently.
There are about 50 pages of overlap in these two books. The remaining 250 pages in each are unique.
Erick
Offline
I have order on Amazon UK on Sep 11, dispatch on Sep 13 and will be delivered between Sep 15-17.
For europeans best is Amazon UK:
"https://www.amazon.co.uk/Using-Elevate-Web-Builder-Mobile/dp/153555505X/ref=sr_1_2?ie=UTF8&qid=1473771589&sr=8-2&keywords=elevate+web+builder
Offline
Thanks Erick.
The Horbs's link worked for me also and I just ordered mine ;-)
Offline
Erick,
Congratulations! Just out of curiosity, why have you choosen EWB other than Smart Mobile Studio?
Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.
Offline
Can't wait to get your book on mORMot erick !
Offline
Erick,
>Congratulations!
Thanks.
> Just out of curiosity, why have you choosen EWB other than Smart Mobile Studio?
I'd say it comes down to personal preference.
I coded programs in SMS first, but I felt they were sloppy and buggy. Someone on the delphi forum urged me to "just try" EWB ,
and since I had taken similar advice about mormot, I just tried it, and it somehow fit me better. The apps looked professional and did what
I wanted right away. It was closer to a Delphi VCL metaphor.
SMS promised new versions for months (a year maybe) to fix some bugs I mentioned but never delivered. They also recommended
a manual that was years out of date and unfinished, with no warning. It felt like a dead product 7 months ago, maybe that's changed.
SMS has a more sophisticated Object Pascal than SMS, EWB implemented less, but I felt it was more solid.
SMS seemed more interested in game development. EWB is focused on database/professional apps. Both are equally
good at responsive design, but are different.
I guess it's just like how some of us have given up on Delphi, whereas some others don't care for FPC/Lazarus. I know SMS
supports interfaces natively which EWB does not, but it's not a huge difference in practice because you just rewrite a few lines
of pascal headers... no big deal.
Erick
Offline
Erick,
That's nice to see EWB with mORMot example.
Erick, one thing that I tend to disagree in both SmartMS and EWB is the RAD approach to build and manage the user interface. I sincerely do not like of this methodology, which I believe is difficult to work with a lot of views.
I'm just curious:
a) is easy to create a simple example like this in EWB This was created with SMS
b) Based on the example EWB-mORMot sample1a.wbs, IMHO, has generated a big overhead file size, f.i. sample1.html (192KB) and sample1.js (obfuscated/packed = 478KB). In this example, we can perform CRUD operations, it looks like Delphi RAD approach, using datasets, but I cannot see URI signature in the methods; is it possible to invoke services-methods transparently - just call the methods don't worry about the rest.
c) Unfortunately I can not afford EWB, could you provide us the EWB command line compiler, since non EWB customers can not post in the support forum. I would like to test this tool for educational purpose, and see the JS generated. Another thing is the new EWB 2.05 have the code insight feature? f.i. red when the file contains compilation errors, or code completion...
Last edited by warleyalex (2016-09-13 20:35:36)
Offline
I think that doing RPCs to mormot encourages one to do their business logic in the server, and leave the client for handling presentation only, which is how I'd recommend anyone program - separating logic from presentation.
a) I recognize the SMS in the example you gave. That one looks like SMS, it would take *me* about 15 minutes to code it in EWB except for the circled images, that would take longer because circle images aren't a native thing in EWB. I don't know how long it would take other people, I think I might
have more experience than many.
b) Like many compiled languages, Delphi and FPC included, the executable is larger than hand-coded assember/javascript. In fact, the first thing most people say when they compile for FPC/Lazarus is WTF, why is it so hug? But the overhead grows linearly from that point. For example, I have a huge 30 form application I'm doing in my job, it compiles to UNCOMPRESSED
871,368 faculty.html
1,672,593 faculty.js
857,422 libsodium.min.js
5,015 sha256.js
68,988 shield.png
5 File(s) 3,475,386 bytes
When compressed, the faculty.js file will be much smaller than lib sodium.min.js. And the png and jpg images I download will be the real bandwidth hogs.
When you call services-methods or RPCs, you have a completion handler, which is the other half of your subroutine. SMS handles that differently
than EWB - and again, it's a preference matter as to which is superior. I think completion functions are cleaner for me to look at. Some other people
rave about .. I forget the name... it's been a long day... but writing nameless functions, or whatever they're called. I liken them to 8 bit assembler where you could only jump a short distance and were stuck with intermixing your code. I think it's hideous and error-prone. But that's how javascript people like to do it.
c) I'm not the author or owner of EWB, I've paid my subscription fees just like everyone else. I don't know the exact price, but it was half what I pay for Delphi, and I find I'm using it more than Delphi these days. No, it does not have code insight or code completion at this time.
The code generated for user functions is efficient, but there is overhead for the windowing library.
Erick
Offline
Thanks for your answer, Erick, I understand you.
While at the moment I prefer a vue.js client talk to a mORMot server, I'll keep an eye on the development of both EWB and SMS.
From what I have seen so far, EWB has advantages over SMS in that it's well documented, and is NOT mobile-only.
Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.
Offline
Thanks for your answer, Erick, I understand you.
From what I have seen so far, EWB has advantages over SMS in that it's well documented, and is NOT mobile-only.
SMS is not mobile-only. It can generate web pages viewable on any device.
Erick
Offline
Erick,
Just for information, do You have an idea about the date of availability of your Mormot book?
If I'm not mistaken it's the first book on Mormot. Right?
Thanks.
Offline
edwinsn wrote:Thanks for your answer, Erick, I understand you.
From what I have seen so far, EWB has advantages over SMS in that it's well documented, and is NOT mobile-only.
SMS is not mobile-only. It can generate web pages viewable on any device.
Erick
Yes, but "viewable on any device" != "designed with desktop web app in mind".
It's obvouse that, the layout and controls optimized for mobile web is different from one that's designed for traditional web apps.
Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.
Offline