Query Authentication and links to static content

vlad · 2020-11-22 20:30:54

Hello,

I'm running a TSQLRestServerDB with query authentication enabled. The client side is browser where authentication is processed by a jQuery code. All works fine, session_signature is appened on each ajax request to my interface-based service.

However, the resulting client page may contain paths to some static content (<img>, <a>, <script>, <link> etc) also stored on the server. I found this content can easily be provided to client from TSQLRestServerDB.OnAuthenticationFailed (Ctxt.Returns). I get the Ctxt.URIAfterRoot and parse it accordingly. But this method bypass authentication and is not acceptable.

Could you please advise the best practice to get static content from the server without jeopardizing mORMot security? I was trying to dig into ServiceWorker / Fetch event on browser side in order to intercept URLs to static content and replace with requests to a interface-based service with computed session_signature, could not make it work.

ab · 2020-11-22 20:37:35

For a Web client, you may just set a cookie from the authentication service, then use a method-based service to serve the static content, checking the cookie validity and using ctxt.ReturnFile() for efficient static sending to the client.

vlad · 2020-11-22 22:57:24

I've implemented a method-based service for static files serving. But it is being called only when authentication flag in TSQLRestServerDB is disabled. Once authentication is switched on, any URL pointing to that method-based service will trigger TSQLRestServerDB.OnAuthenticationFailed, with no chance to do cookie checking in the service itself. On the other hand, I cannot switch off query authentication, it is the main thing in security for my interface-based services. Or may be I didn't understand the hint properly? Kindly advise.

Edit: Sorry, I found the way to disable authentication of method-based service by using ServiceMethodByPassAuthentication.

Is there a commonly used approach to check authentication on such exposed services based on cookies? What would be the more secured workflow in order to prevent user from manipulating cookies from debugger and access the static data?

Last edited by vlad (2020-11-23 00:24:20)

ab · 2020-11-23 09:11:50

You could take a look at how mORMotMVC.pas handle cookies, in a safe and optimized manner.

But the easiest is to store a JWT inside the cookie: it is safe and standard.

vlad · 2020-11-23 21:34:40

Thanks, AB. With my humble knowledge I've implemented JWT as follows:

1) After query authentication succeeds, the web client gets the JWT token containing TAuthSession session ID and stores it as a cookie.
2) Once the method-based service for static content is triggered, I read the JWT from Ctxt.InCookie. Do TJWTHS256.Verify, extract session ID and do TSQLRestServerDB.SessionGetUser. Returning the error if verification fails or user not found.

I'm not sure SessionGetUser is the right way to call it here, though, since it locks the data. Any advice to improve all this is highly appreciated.

mORMot Open Source

#1 2020-11-22 20:30:54

Query Authentication and links to static content

#2 2020-11-22 20:37:35

Re: Query Authentication and links to static content

#3 2020-11-22 22:57:24

Re: Query Authentication and links to static content

#4 2020-11-23 09:11:50

Re: Query Authentication and links to static content

#5 2020-11-23 21:34:40

Re: Query Authentication and links to static content

Board footer