mORMot Open Source

keinn

Member

Registered: 2014-10-20

Posts: 103

BugReport:JWTForUnauthenticatedRequest not working

Just Asigned a TJWTHS256 instance to the RestServer.JWTForUnauthenticatedRequest property,
then set the client SessionHttpHeader :Authorization: Bearer <Token>

then call any method or interface based service that need auth ,you will fail.

problem is that :

JWTForUnauthenticatedRequest not working since procedure TSQLRestServer.URI  security handling logic bug:
in mOMRot.pas:

      // 2. handle security
      if (rsoSecureConnectionRequired in fOptions) and
         (Ctxt.MethodIndex<>fPublishedMethodTimestampIndex) and
         not (llfSecured in Call.LowLevelFlags) then
        Ctxt.AuthenticationFailed(afSecureConnectionRequired) else
      if not Ctxt.Authenticate then
        Ctxt.AuthenticationFailed(afInvalidSignature) else
      if (Ctxt.Service<>nil) and
          not (reService in Call.RestAccessRights^.AllowRemoteExecute) then
        if (rsoRedirectForbiddenToAuth in Options) and (Ctxt.ClientKind=ckAjax) then
          Ctxt.Redirect(Model.Root+'/auth') else
          Ctxt.AuthenticationFailed(afRemoteServiceExecutionNotAllowed) else
      if (Ctxt.Session<>CONST_AUTHENTICATION_NOT_USED) or
         (fJWTForUnauthenticatedRequest=nil) or
         (Ctxt.MethodIndex=fPublishedMethodTimestampIndex) or
         ((llfSecured in Call.LowLevelFlags) and
          not (llfHttps in Call.LowLevelFlags)) or // HTTPS does not authenticate
         Ctxt.AuthenticationCheck(fJWTForUnauthenticatedRequest) then

line 42740 42741 always get executed if not authed

if not Ctxt.Authenticate then
        Ctxt.AuthenticationFailed(afInvalidSignature)

so fJWTForUnauthenticatedRequest never get a chance .

or i am doing it wrong?

keinn

Member

Registered: 2014-10-20

Posts: 103

Re: BugReport:JWTForUnauthenticatedRequest not working

Well, got it now, we should disable the Authentication on RestServer Creation first..