#1 2011-11-03 07:58:35

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

Javascript authentication

Below is some javascript to authenticate against mORMmot. It doesn't guard against the client tick count wrapping round - any help on that would be great. Also can't see the point of working out the offset between server and client time which is copied from TSQLRestClientURI.URI - is this needed? I haven't written much javascript before so any tips or criticism welcome.

<html>
<head>
<script src="lib/jquery-1.4.3.min.js"></script>
<script src="lib/SHA256.js"></script> <!-- found at: www.movable-type.co.uk -->
</head>
<body>
<form>
username: <input id="username" type="text" value="User" />
password: <input id="password" type="text" value="synopse"/>
<button id="LoginButton" type="button">Log in</button>
</form>
<script>
    var fUser = "",
    fRoot = "",
    fSessionID = 0,
    fSessionIDHexa8 = "",
    fSessionPrivateKey = 0,
    //fSessionLastTickCount = 0,
    //fSessionTickCountOffset = 0,
    
    PasswordHashHexa = "",
    fServerTimeStampOffset = 0;

    $("#LoginButton").click(function(){LogIn("root", $("#username").val(), $("#password").val())});
    
    function LogIn(root, username, password){
      fRoot = root;
      fUser = username;
      PasswordHashHexa = Sha256.hash("salt"+password);
      $.get("/"+root+"/TimeStamp", gotTimeStamp);
    }
    
    function gotTimeStamp(timestamp) {
      var s = '', d = new Date(), clientTime = '';
      timestamp = parseInt(timestamp);
      s = d.getFullYear().toString(2);
      while(s.length < 13) { s = '0'+s;}
      clientTime = s;
      s = d.getMonth().toString(2);
      while(s.length < 4) { s = '0'+s;}
      clientTime = clientTime +s;
      s = (d.getDate()-1).toString(2);
      while(s.length < 5) { s = '0'+s;}
      clientTime = clientTime +s;
      s = d.getHours().toString(2);
      while(s.length < 5) { s = '0'+s;}
      clientTime = clientTime +s;
      s = d.getMinutes().toString(2);
      while(s.length < 6) { s = '0'+s;}
      clientTime = clientTime +s;
      s = d.getSeconds().toString(2);
      while(s.length < 6) { s = '0'+s;}
      clientTime = clientTime +s;
      fServerTimeStampOffset = (timestamp - parseInt(clientTime,2));
      $.get("/"+fRoot+"/auth?UserName="+fUser, gotNonce);
    }
    
    function gotNonce(aNonce){
      //create client nonce
      var aClientNonce = "", s = "", d = new Date();
      aClientNonce = d.getFullYear().toString();
      s = d.getMonth().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + '-' + s;
      s = d.getDate().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + '-' + s + ' ';
      s = d.getHours().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + s;
      s = d.getMinutes().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + ':' + s;
      s = d.getSeconds().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + ':' + s;
      aClientNonce = Sha256.hash(aClientNonce);
      s = "/"+fRoot+"/auth?UserName="+fUser+"&Password=" + 
       Sha256.hash( fRoot+aNonce+aClientNonce+fUser+PasswordHashHexa )+
       "&ClientNonce="+aClientNonce;
      $.get(s, gotSession);  
    };
    
    function gotSession(aSessionKey){
      var i = aSessionKey.indexOf("+");
      fSessionID = parseInt(aSessionKey.slice(0, i));
      fSessionIDHexa8 = fSessionID.toString(16);
      while(fSessionIDHexa8.length < 8) { fSessionIDHexa8 = '0'+fSessionIDHexa8; }
      fSessionPrivateKey = crc32(PasswordHashHexa, crc32(aSessionKey, 0));
      //test it
      $.get("/"+SessionSign("root/SampleRecord?SELECT=*&STARTINDEX=0&RESULTS=50"), function () {alert("url was signed OK");});
    }
    
    function SessionSign(url) {
      var Tix, Nonce, s, ss, d = new Date(); 
      Tix = d.getTime();
      Nonce = Tix.toString(16);
      while(Nonce.length < 8) { Nonce = '0'+Nonce; }
      if (Nonce.length > 8) { Nonce = Nonce.slice(Nonce.length-8) }
      ss = crc32(url, crc32(Nonce, fSessionPrivateKey)).toString(16);
      while(ss.length < 8) { ss = '0'+ss; }
      s = url.indexOf("?") == -1 ? url+'?session_signature=' : url+'&session_signature=';
      return s + fSessionIDHexa8 + Nonce + ss;  
    }

/**
*
*  Javascript crc32
*  http://www.webtoolkit.info/
*
**/    
function crc32 (str, crc) {
 
    function Utf8Encode(string) {
        string = string.replace(/\r\n/g,"\n");
        var utftext = "";
 
        for (var n = 0; n < string.length; n++) {
 
            var c = string.charCodeAt(n);
 
            if (c < 128) {
                utftext += String.fromCharCode(c);
            }
            else if((c > 127) && (c < 2048)) {
                utftext += String.fromCharCode((c >> 6) | 192);
                utftext += String.fromCharCode((c & 63) | 128);
            }
            else {
                utftext += String.fromCharCode((c >> 12) | 224);
                utftext += String.fromCharCode(((c >> 6) & 63) | 128);
                utftext += String.fromCharCode((c & 63) | 128);
            }
 
        }
 
        return utftext;
    };
 
    str = Utf8Encode(str);
 
    var table = "00000000 77073096 EE0E612C 990951BA 076DC419 706AF48F E963A535 9E6495A3 0EDB8832 79DCB8A4 E0D5E91E 97D2D988 09B64C2B 7EB17CBD E7B82D07 90BF1D91 1DB71064 6AB020F2 F3B97148 84BE41DE 1ADAD47D 6DDDE4EB F4D4B551 83D385C7 136C9856 646BA8C0 FD62F97A 8A65C9EC 14015C4F 63066CD9 FA0F3D63 8D080DF5 3B6E20C8 4C69105E D56041E4 A2677172 3C03E4D1 4B04D447 D20D85FD A50AB56B 35B5A8FA 42B2986C DBBBC9D6 ACBCF940 32D86CE3 45DF5C75 DCD60DCF ABD13D59 26D930AC 51DE003A C8D75180 BFD06116 21B4F4B5 56B3C423 CFBA9599 B8BDA50F 2802B89E 5F058808 C60CD9B2 B10BE924 2F6F7C87 58684C11 C1611DAB B6662D3D 76DC4190 01DB7106 98D220BC EFD5102A 71B18589 06B6B51F 9FBFE4A5 E8B8D433 7807C9A2 0F00F934 9609A88E E10E9818 7F6A0DBB 086D3D2D 91646C97 E6635C01 6B6B51F4 1C6C6162 856530D8 F262004E 6C0695ED 1B01A57B 8208F4C1 F50FC457 65B0D9C6 12B7E950 8BBEB8EA FCB9887C 62DD1DDF 15DA2D49 8CD37CF3 FBD44C65 4DB26158 3AB551CE A3BC0074 D4BB30E2 4ADFA541 3DD895D7 A4D1C46D D3D6F4FB 4369E96A 346ED9FC AD678846 DA60B8D0 44042D73 33031DE5 AA0A4C5F DD0D7CC9 5005713C 270241AA BE0B1010 C90C2086 5768B525 206F85B3 B966D409 CE61E49F 5EDEF90E 29D9C998 B0D09822 C7D7A8B4 59B33D17 2EB40D81 B7BD5C3B C0BA6CAD EDB88320 9ABFB3B6 03B6E20C 74B1D29A EAD54739 9DD277AF 04DB2615 73DC1683 E3630B12 94643B84 0D6D6A3E 7A6A5AA8 E40ECF0B 9309FF9D 0A00AE27 7D079EB1 F00F9344 8708A3D2 1E01F268 6906C2FE F762575D 806567CB 196C3671 6E6B06E7 FED41B76 89D32BE0 10DA7A5A 67DD4ACC F9B9DF6F 8EBEEFF9 17B7BE43 60B08ED5 D6D6A3E8 A1D1937E 38D8C2C4 4FDFF252 D1BB67F1 A6BC5767 3FB506DD 48B2364B D80D2BDA AF0A1B4C 36034AF6 41047A60 DF60EFC3 A867DF55 316E8EEF 4669BE79 CB61B38C BC66831A 256FD2A0 5268E236 CC0C7795 BB0B4703 220216B9 5505262F C5BA3BBE B2BD0B28 2BB45A92 5CB36A04 C2D7FFA7 B5D0CF31 2CD99E8B 5BDEAE1D 9B64C2B0 EC63F226 756AA39C 026D930A 9C0906A9 EB0E363F 72076785 05005713 95BF4A82 E2B87A14 7BB12BAE 0CB61B38 92D28E9B E5D5BE0D 7CDCEFB7 0BDBDF21 86D3D2D4 F1D4E242 68DDB3F8 1FDA836E 81BE16CD F6B9265B 6FB077E1 18B74777 88085AE6 FF0F6A70 66063BCA 11010B5C 8F659EFF F862AE69 616BFFD3 166CCF45 A00AE278 D70DD2EE 4E048354 3903B3C2 A7672661 D06016F7 4969474D 3E6E77DB AED16A4A D9D65ADC 40DF0B66 37D83BF0 A9BCAE53 DEBB9EC5 47B2CF7F 30B5FFE9 BDBDF21C CABAC28A 53B39330 24B4A3A6 BAD03605 CDD70693 54DE5729 23D967BF B3667A2E C4614AB8 5D681B02 2A6F2B94 B40BBE37 C30C8EA1 5A05DF1B 2D02EF8D";
 
    if (typeof(crc) == "undefined") { crc = 0; }
    var x = 0;
    var y = 0;
 
    crc = crc ^ (-1);

    if (crc < 0) {crc = 4294967296 + crc;}
    for( var i = 0, iTop = str.length; i < iTop; i++ ) {
        y = ( crc ^ str.charCodeAt( i ) ) & 0xFF;
        x = "0x" + table.substr( y * 9, 8 );
        crc = ( crc >>> 8 ) ^ x;
    }
    crc = ~crc;
    if (crc < 0) {crc = 4294967296 + crc;}
    return crc;
 
};
    
</script>
</html>

Offline

#2 2011-11-03 12:47:19

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

Nice code.
I'm no Javascript expert, so I won't be the right guy to ask for tips or criticism. wink
May be some other users around may have some nice ideas (I like most of the ideas posted on our forum!). smile

Client tick count wrapped could only occur when you use the GetTickCount windows API.
Which is not your case here, so you do not have to worry about it.

Time offset between client and server is only helpfull if you need a common time line for inserting in your fields.
So it won't be mandatory at first.

Offline

#3 2011-11-03 16:48:45

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

Re: Javascript authentication

Problem is I'm truncating the javascript tickcount to 32bits to fit mORMot's signed url format and it's based on the time since 1970. But just realised I can simply create an tick count offset at login and start the tickcount from zero.

Thanks for the feedback. smile

Offline

#4 2011-11-11 08:21:29

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

About CRC32, perhaps creating the table at runtime won't be much time-consuming than using a static textual array.

Or use a fixed array in pure JavaScript instead of parsing all those text:

/*
  CRC-32 (as it is in ZMODEM) in table form

  Copyright (C) 1986 Gary S. Brown. You may use this program, or
  code or tables extracted from it, as desired without restriction.

  Modified by Anders Danielsson, February 5, 1989 and March 10, 2006.

  This is also known as FCS-32 (as it is in PPP), described in
  RFC-1662 by William Allen Simpson, see RFC-1662 for references.
*/
var Crc32Tab = new Array( /* CRC polynomial 0xEDB88320 */
0x00000000,0x77073096,0xEE0E612C,0x990951BA,0x076DC419,0x706AF48F,0xE963A535,0x9E6495A3,
0x0EDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,0x09B64C2B,0x7EB17CBD,0xE7B82D07,0x90BF1D91,
0x1DB71064,0x6AB020F2,0xF3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0xF4D4B551,0x83D385C7,
0x136C9856,0x646BA8C0,0xFD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0xFA0F3D63,0x8D080DF5,
0x3B6E20C8,0x4C69105E,0xD56041E4,0xA2677172,0x3C03E4D1,0x4B04D447,0xD20D85FD,0xA50AB56B,
0x35B5A8FA,0x42B2986C,0xDBBBC9D6,0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,
0x26D930AC,0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423,0xCFBA9599,0xB8BDA50F,
0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,0x2F6F7C87,0x58684C11,0xC1611DAB,0xB6662D3D,
0x76DC4190,0x01DB7106,0x98D220BC,0xEFD5102A,0x71B18589,0x06B6B51F,0x9FBFE4A5,0xE8B8D433,
0x7807C9A2,0x0F00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,0x086D3D2D,0x91646C97,0xE6635C01,
0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0xF50FC457,
0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,
0x4DB26158,0x3AB551CE,0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7,0xA4D1C46D,0xD3D6F4FB,
0x4369E96A,0x346ED9FC,0xAD678846,0xDA60B8D0,0x44042D73,0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,
0x5005713C,0x270241AA,0xBE0B1010,0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,0xCE61E49F,
0x5EDEF90E,0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81,0xB7BD5C3B,0xC0BA6CAD,
0xEDB88320,0x9ABFB3B6,0x03B6E20C,0x74B1D29A,0xEAD54739,0x9DD277AF,0x04DB2615,0x73DC1683,
0xE3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0xE40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,
0xF00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0xF762575D,0x806567CB,0x196C3671,0x6E6B06E7,
0xFED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0xF9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,
0xD6D6A3E8,0xA1D1937E,0x38D8C2C4,0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,
0xD80D2BDA,0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55,0x316E8EEF,0x4669BE79,
0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,0xCC0C7795,0xBB0B4703,0x220216B9,0x5505262F,
0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,0x5CB36A04,0xC2D7FFA7,0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,
0x9B64C2B0,0xEC63F226,0x756AA39C,0x026D930A,0x9C0906A9,0xEB0E363F,0x72076785,0x05005713,
0x95BF4A82,0xE2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0xE5D5BE0D,0x7CDCEFB7,0x0BDBDF21,
0x86D3D2D4,0xF1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,
0x88085AE6,0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69,0x616BFFD3,0x166CCF45,
0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,0xA7672661,0xD06016F7,0x4969474D,0x3E6E77DB,
0xAED16A4A,0xD9D65ADC,0x40DF0B66,0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,0x47B2CF7F,0x30B5FFE9,
0xBDBDF21C,0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,0xCDD70693,0x54DE5729,0x23D967BF,
0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,0xB40BBE37,0xC30C8EA1,0x5A05DF1B,0x2D02EF8D);

function Crc32Add(crc,c)
/*
  'crc' should be initialized to 0xFFFFFFFF and after the computation it should be
  complemented (inverted).

  CRC-32 is also known as FCS-32.

  If the FCS-32 is calculated over the data and over the complemented FCS-32, the
  result will always be 0xDEBB20E3 (without the complementation).
*/
{
 return Crc32Tab[(crc^c)&0xFF]^((crc>>8)&0xFFFFFF);
}

function Crc32Str(str)
{
  var n;
  var len=str.length;
  var crc;

  crc=0xFFFFFFFF;
  for (n=0; n<len; n++)
  {
    crc=Crc32Add(crc,str.charCodeAt(n));
  }
  return crc^0xFFFFFFFF;
}

Offline

#5 2011-11-11 11:34:22

RangerX
Member
Registered: 2011-10-27
Posts: 6

Re: Javascript authentication

Code from my working project (it uses jQuery):
config.js:

// configuration section

// URL of application server
var SERVER_URL = "http://localhost";
// model root of application server
var SERVER_ROOT = "r";

// end of configuration section

var MAIN_URL = SERVER_URL + '/' + SERVER_ROOT;

shared.js:

function d2h(d, padding) {
    var hex = Number(d).toString(16);
    padding = typeof (padding) === "undefined" || padding === null ? padding = 2 : padding;

    while (hex.length < padding) {
        hex = "0" + hex;
    }
    return hex;
}

function prf(name) {
    return 'loans_' + name;
}

function getSet(name) {
    return localStorage.getItem(prf(name));
}

function getSetAsInt(name) {
    var c = getSet(name);
    return Number(c) ? c : 0;
}

function setSet(name, value) {
    return localStorage.setItem(prf(name), value);
}

function InitSession() {
    localStorage.removeItem(prf('SESSION_ID'));
    localStorage.removeItem(prf('SESSION_PRIVATE_KEY'));
    localStorage.removeItem(prf('SESSION_LAST_TICK_COUNT'));
    localStorage.removeItem(prf('SESSION_TICK_COUNT_OFFSET'));
    localStorage.removeItem(prf('SESSION_USERNAME'));
    return true;
}

function CloseSession() {
    if (!getSetAsInt('SESSION_ID')) return;

    $.ajax({
        type: "GET",
        dataType: "json",
        url: MAIN_URL + '/auth',
        data: {'session': getSetAsInt('SESSION_ID'), 'UserName': getSet('SESSION_USERNAME')},
        timeout: 2000,
        success: InitSession,
        error: InitSession
    });
}

// converted from TSQLRestClientURI.SessionSign function
function GetSessionSignature(url) {
    // expected format is 'session_signature='Hexa8(SessionID)+Hexa8(TimeStamp)+
    // Hexa8(crc32('SessionID+HexaSessionPrivateKey'+Sha256('salt'+PassWord)+
    // Hexa8(TimeStamp)+url))
    var d = new Date();
    var Tix = d.getTime();
    if (Tix < getSetAsInt('SESSION_LAST_TICK_COUNT')) // wrap around 0 after 49.7 days
        setSet('SESSION_TICK_COUNT_OFFSET', getSetAsInt('SESSION_TICK_COUNT_OFFSET') + 1 << (32 - 8)); // allows 35 years timing
    setSet('SESSION_LAST_TICK_COUNT', Tix);

    var Nonce = d2h(Tix >>> 8 + getSetAsInt('SESSION_TICK_COUNT_OFFSET'), 8);
    var sign = d2h(getSetAsInt('SESSION_ID'), 8) + Nonce + d2h(crc32(getSet('SESSION_PRIVATE_KEY') + Nonce + url), 8);
    var prf = '?';
    if (url.indexOf('?') > -1) prf = '&';
    return  prf + 'session_signature=' + sign;
}

$.ajaxPrefilter(function(options, _, jqXHR) {
    // signing all sended URLs
    if (getSetAsInt('SESSION_ID') > 0 && options.url.indexOf(MAIN_URL) > -1) { // if user authenticated
        var new_url = options.url;
        if (options.data && options.type == "GET")
        {
            new_url += '?' + options.data;
            options.data = null; // or options.data will be added to url by JQuery
        }
        options.url = new_url + GetSessionSignature(new_url.substr(SERVER_URL.length + 1));
        options.cache = true; // we don't want anti-cache "_" JQuery-parameter
    }
});

$(function() {
    if (typeof(localStorage) == 'undefined')
        alert('You do not have HTML5 localStorage support in your browser. Please update or application cannot work as expected');
});

I use HTML5 LocalStorage, not cookies, for storing session information.

And this is code for user authentication:
login.js:

function AuthorizeUser() {
    var name = $("#username").val();
    var pwd = $("#password").val();
    var servnonce = "";

    CloseSession(); // try close previously opened session

    var d = new Date();
    var clientnonce = d.getTime() / (1000 * 60 * 5); // valid for 5*60*1000 ms = 5 minutes;
    clientnonce = SHA256("" + clientnonce);

    var dataString = {'UserName': name};

    $.ajax({
        type: "GET",
        dataType: "json",
        url: MAIN_URL + '/auth',
        data: dataString,
        timeout:2000,
        beforeSend: function(jqXHR, settings) {
            $.blockUI({
                message: '<h1><img src="/images/busy.gif" style="height:16px;width:16px;" /> Авторизуюсь...</h1>',
                css: {
                    border: 'none',
                    padding: '15px',
                    backgroundColor: '#000',
                    '-webkit-border-radius': '10px',
                    '-moz-border-radius': '10px',
                    opacity: .5,
                    color: '#fff'
                } });
        },
        success: function(data, textStatus, jqXHR) {
            servnonce = data.result;
            // The Password parameter as sent for the 2nd request will be computed as
            // ! Sha256(ModelRoot+Nonce+ClientNonce+UserName+Sha256('salt'+PassWord))
            var password = SHA256(SERVER_ROOT + servnonce + clientnonce + name + SHA256('salt' + pwd));
            dataString = {'UserName': name, 'Password': password, 'ClientNonce': clientnonce};

            // second handshake
            $.ajax({
                type: "GET",
                dataType: "json",
                url: MAIN_URL + '/auth',
                data: dataString,
                timeout: 2000,

                success: function(data, textStatus, jqXHR) {
                    var p = data.result.indexOf('+');
                    if (p > -1) {
                        setSet('SESSION_ID', data.result.substr(0, p));
                        setSet('SESSION_PRIVATE_KEY', data.result + SHA256('salt' + pwd));
                        setSet('SESSION_USERNAME', name);

                        // get session info
                        $.ajax({
                            type: "GET",
                            dataType: "json",
                            url: MAIN_URL + '/GetSessionInfo',
                            timeout: 2000,
                            success: function(data) {
                                create_notify("msgs", { title:'Welcome', text:'You are successfully authenticated', icon:'check48.png' });
                                setSet('SESSION_GROUP', data.group);
                                setSet('SESSION_FIO', data.fio);
                                setTimeout(function() {
                                    document.location = '/pages/main_' + data.group + '.htm';
                                }, 1000);
                            }
                        });
                        $.unblockUI();

                        return true;
                    }
                },
                error: function (jqXHR, textStatus, errorThrown) {
                    if (jqXHR.status == 404) {
                        create_notify('msgs', {title:'Authentication error', text:'Sorry, wrong username or password', icon:'error48.png'});
                        $("#login section").effect("shake", 150);
                        $.unblockUI();
                        return
                    }
                }
            }); // end success of second handshake
        } // end success of first handshake
    });

    return false; // end of AuthorizeUser
}

$(function() {
    // Call the button widget method on the login button to format it.
    $("#btnLogin").button().bind("click", function() {
        AuthorizeUser();
        return false;
    });
});

Also i patch TSQLRestServer.Auth function (SQLite3Commons.pas):
Replace

...
       try
          User := nil; // will be freed by TAuthSession.Destroy
          aResp := Session.fPrivateSalt;
          if fSessions=nil then
...

with

...
        try
          User := nil; // will be freed by TAuthSession.Destroy
          aResp := JSONEncodeResult([Session.fPrivateSalt]);

          if fSessions=nil then
...

and

...
    begin
      // only UserName=... -> return hexadecimal nonce content valid for 5 minutes
      aResp := Nonce(false);
    end;
...

with

...
    begin
      // only UserName=... -> return hexadecimal nonce content valid for 5 minutes
      aResp := JSONEncodeResult([Nonce(false)]);
    end;
...

P.S. SHA256 and CRC32 routines getted from http://www.webtoolkit.info/
P.P.S. Replace string

if (typeof(crc) == "undefined") { crc = 0; }

to

crc = 0;

in webtoolkit.crc32.js or you have get wrong results from crc32 function. Or maybe code above (from ab) worked well, i don't check smile
P.P.P.S. Sorry for my English smile

Last edited by RangerX (2011-11-11 13:23:25)

Offline

#6 2011-11-11 11:49:58

RangerX
Member
Registered: 2011-10-27
Posts: 6

Re: Javascript authentication

And my question: is there a way to override TSQLAuthUser model (i.e. TSQLMyAuthUser, without patching source code of mORMot, just native OOP) to add relationship with TSQLBranch model? I need a "One to many" relationship between two tables: AuthUser and Branches (ID, Name, Address). I don't want to use TSQLAuthUser.Data property, because too many code for work with simply integer ID-field smile

Offline

#7 2011-11-11 13:20:59

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

It could make sense to be able to customize the TSQLAuthUser class.
I could modify the TSQLRestServer.Create() constructor to have the TSQLRest use a custom inherited class (not searching for an exact TSQLAuthUser class, but any inherited class).
Then let this class used in all code.

But in the current code, there is no direct solution using pure OOP.

What about using a dynamic array and store it into the Data property?

Offline

#8 2011-11-11 13:35:15

RangerX
Member
Registered: 2011-10-27
Posts: 6

Re: Javascript authentication

TSQLBranch is just a example of what I want smile Besides, I want a few more fields in TSQLAuthUser class, like LastName, FirstName, Birthdate, etc... smile I can (surely) use a dynamic array of record with these fields. But then lost OOP-flexibility. Can you give me an example of TSQLRestServer.Create() constructor modification? Only a few lines of code that I understand the direction.

Offline

#9 2011-11-11 13:50:59

Sir Rufo
Member
Registered: 2011-10-14
Posts: 24

Re: Javascript authentication

RangerX wrote:

TSQLBranch is just a example of what I want smile Besides, I want a few more fields in TSQLAuthUser class, like LastName, FirstName, Birthdate, etc... smile I can (surely) use a dynamic array of record with these fields. But then lost OOP-flexibility. Can you give me an example of TSQLRestServer.Create() constructor modification? Only a few lines of code that I understand the direction.

Why do u want to blow up the TSQLAuthUser?
This class is for authentication and not saying "Happy Birthday" to the user.

Why not use an extra TSQLRecord (e.g. TSQLExtendUser )

TSQLExtendUser = class( TSQLRecord )
published
  property AuthUser : TSQLAuthUser;
  property FirstName : SynUnicode;
  property LastName : SynUnicode;
  property Birthday : TDateTime;
  // ... and whatever u like
end;

Offline

#10 2011-11-11 13:53:21

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

I've just modified the framework code to match the authentication JavaScript code supplied by RangerX.
I made the response be true JSON result object. I've modified the TSQLRestURI.SetUser code to let pure Delphi code work with this. And added a reference to your code as a working JavaScript implementation of the framework.
See http://synopse.info/fossil/info/5674fa9903

Thanks!

Offline

#11 2011-11-11 13:56:41

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

Another possibility may be to add a generic TSQLRecord published property to the TSQLAuthUser class, in addition to the Data property.
Perhaps the best way of implementing additional "business logic" information.

On the other side, having TSQLAuthUser be as generic as possible does make sense.
Its purpose is to handle authentication and it is therefore associated to sessions.
It was not meant to say "Happy Birthday" to the user, as Sir Rufo wrote...

In fact, in my mind (and as stated by the class name), this TSQLAuthUser was meant for authentication, not for User-logging.
In the AJAX world, the business logic "User" matches the authenticated user.
But in a pure Delphi client, the so called "User" may be only at RESTful connection level, and for ORM access rights.
That is the reason why authentication is not mandatory for the framework.

Offline

#12 2011-11-11 14:15:33

RangerX
Member
Registered: 2011-10-27
Posts: 6

Re: Javascript authentication

Thanks for the feedback smile I will do it like Sir Rufo wrote.

Offline

#13 2011-11-11 15:22:33

RangerX
Member
Registered: 2011-10-27
Posts: 6

Re: Javascript authentication

Another feature, I used in my project: I want inform the user if it cannot update/delete record and why.
There is my modifications (not whole modifications shown, only main points):
SQLite3Commons.pas:

function TSQLRest.RecordCanBeUpdated(Table: TSQLRecordClass; ID: integer; Action: TSQLEvent; [b]var ErrorMsg: RawUTF8[/b]): boolean; virtual;

function TSQLRestServer.URI(const url, method, SentData: RawUTF8;
var
...
    [b]ErrorMsg: RawUTF8;[/b]
begin
...
    if MethodUp='DELETE' then begin     // DELETE
      // ModelRoot/TableName/ID to delete a member
      if (Table<>nil) and (ID>0) then
      if not [b]RecordCanBeUpdated(Table,ID,seDelete, ErrorMsg)[/b] then // HTTP Forbidden
      begin
        result.Lo := 401;
        [b]Resp := JSONEncode(['errorCode','401', 'errorText', ErrorMsg]);[/b]
      end
      else 
      if not (TableIndex in RestAccessRights^.DELETE) then // check User
      begin
        result.Lo := 401;
        [b]Resp := JSONEncode(['errorCode','401', 'errorText', 'no access']);[/b]
      end
      else
...

Code from my project that uses this feature:

type
  TMainServer = class(TSQLRestServerDB)
  protected
    function RecordCanBeUpdated(Table: TSQLRecordClass; ID: integer; Action: TSQLEvent; var ErrorMsg: RawUTF8): boolean; override;
  end;
...
function TMainServer.RecordCanBeUpdated(Table: TSQLRecordClass; ID: integer;
  Action: TSQLEvent; var ErrorMsg: RawUTF8): boolean;
begin
  Result := True;
  if (Table = TSQLBranches) and (ID = 1) and (Action = seDelete) then
  begin
    ErrorMsg := 'You cannot delete main branch!';
    Result := False;
  end;
end;

Perhaps more information (like SentData from URI?) should be passed to RecordCanBeUpdated for a more flexible implementation of business logic?

Example client-side code (javascript):

function globalErrorHandler(jqXHR, textStatus, errorThrown) {
    $.unblockUI();
    if (textStatus == "timeout")
        create_notify("msgs", { title:'Timeout', text:'Sorry, server is down at the moment. Try again later', icon:'server_down.gif' });
    else
    {
        switch (jqXHR.status) {
            case 401:
                if (textStatus == 'no access')
                {
                    create_notify("msgs", { title:'Access denied', text:'You do not have permission to use this function', icon:'error48.png' });
                    setTimeout(function() {
                        document.location = '/pages/main_'+getSet('SESSION_GROUP')+'.htm';
                    }, 2000);
                }
                else
                {
                    // custom error from server (from RecordCanBeUpdated)
                    eval('var response = ('+jqXHR.responseText+')');
                    create_notify("msgs", { title:'Record cannot be updated', text:response.errorText, icon:'error48.png' });
                }
            break;

            case 403:
                create_notify("msgs", { title:'Authentication error', text:'You do not authenticated and will be redirected to login page', icon:'error48.png' });
                setTimeout(function() {
                    document.location = '/index.htm';
                }, 2000);
            break;
            default: create_notify("msgs", { title:'Unknown error: ' + jqXHR.status, text:'Unknown error raised: ' + textStatus + ': ' + errorThrown, icon:'error48.png' });
        }
    }
    jqXHR.abort();
    return false;
}

$.ajaxSetup({error: globalErrorHandler});

Last edited by RangerX (2011-11-11 15:34:00)

Offline

#14 2011-11-30 10:17:39

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

It may be a good idea to add such a generic JSON error message mechanisms in the framework.

I'll add it to my to-do list.

Offline

#15 2011-12-03 21:29:25

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

Re: Javascript authentication

Here's a slightly tidier version of my javascript authentication adding some error handling and ideas above.

RangerX - thanks for pointing out $.ajaxPrefilter and using localStorage. I'll probably do something similar soon.

I assume there's no point adding salt to the password hash in javascript as it would be plainly visible.

var SynAuth = {
  User : "",
  fRoot : "",
  fSessionID : 0,
  fSessionIDHexa8 : "",
  fSessionPrivateKey : 0,
  fSessionTickCountOffset : 0,
  fLastSessionTickCount : 0,

  PasswordHashHexa : "",
  fServerTimeStampOffset : 0,
  fcallBack : null,
  ffailCallBack : null
};  // SynAuth namespace
    
    SynAuth.LogIn = function (root, username, password, callback, failCallback){
      SynAuth.fRoot = root;
      SynAuth.User = username;
      SynAuth.PasswordHashHexa = Sha256.hash(""+password);
      if (callback) {SynAuth.fcallBack = callback;}
      if (failCallback) {SynAuth.ffailCallback = failCallback;}
      $.get("/"+root+"/TimeStamp", SynAuth.gotTimeStamp);
    }
    
    SynAuth.LogInAgain = function(callback){ //after timeout error for silent re-login
      SynAuth.fSessionID = 0;
      SynAuth.fSessionIDHexa8 = "";
      SynAuth.fSessionPrivateKey = 0;
      if (callback) {SynAuth.fcallBack = callback;} else {SynAuth.fcallBack = null;}
      $.get("/"+SynAuth.fRoot+"/TimeStamp", SynAuth.gotTimeStamp);
    }
    
    SynAuth.gotTimeStamp = function (timestamp) {
      var s = '', d = new Date(), clientTime = '';
      timestamp = parseInt(timestamp);
      s = d.getFullYear().toString(2);
      while(s.length < 13) { s = '0'+s;}
      clientTime = s;
      s = d.getMonth().toString(2);
      while(s.length < 4) { s = '0'+s;}
      clientTime = clientTime +s;
      s = (d.getDate()-1).toString(2);
      while(s.length < 5) { s = '0'+s;}
      clientTime = clientTime +s;
      s = d.getHours().toString(2);
      while(s.length < 5) { s = '0'+s;}
      clientTime = clientTime +s;
      s = d.getMinutes().toString(2);
      while(s.length < 6) { s = '0'+s;}
      clientTime = clientTime +s;
      s = d.getSeconds().toString(2);
      while(s.length < 6) { s = '0'+s;}
      clientTime = clientTime +s;
      SynAuth.fServerTimeStampOffset = (timestamp - parseInt(clientTime,2));
      $.get("/"+SynAuth.fRoot+"/auth?UserName="+SynAuth.User, SynAuth.gotNonce);
    }
    
    SynAuth.gotNonce = function (aNonce){
      //create client nonce
      var aClientNonce = "", s = "", d = new Date();
      aClientNonce = d.getFullYear().toString();
      s = d.getMonth().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + '-' + s;
      s = d.getDate().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + '-' + s + ' ';
      s = d.getHours().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + s;
      s = d.getMinutes().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + ':' + s;
      s = d.getSeconds().toString();
      if (s.length === 1) { s = '0'+s;}
      aClientNonce = aClientNonce + ':' + s;
      aClientNonce = Sha256.hash(aClientNonce);
      s = "/"+SynAuth.fRoot+"/auth?UserName="+SynAuth.User+"&Password=" + 
       Sha256.hash( SynAuth.fRoot+aNonce.result+aClientNonce+SynAuth.User+SynAuth.PasswordHashHexa )+
       "&ClientNonce="+aClientNonce;
      $.ajax({
        type: "GET",
        dataType: "json",
        url: s,
        success: SynAuth.gotSession,
        error: SynAuth.ffailCallback});                   
    };
    
    SynAuth.gotSession = function (aSessionKey){
      var i = aSessionKey.result.indexOf("+");
      SynAuth.fSessionID = parseInt(aSessionKey.result.slice(0, i));
      SynAuth.fSessionIDHexa8 = SynAuth.fSessionID.toString(16);
      while(SynAuth.fSessionIDHexa8.length < 8) { SynAuth.fSessionIDHexa8 = '0'+SynAuth.fSessionIDHexa8; }
      SynAuth.fSessionPrivateKey = SynAuth.crc32(SynAuth.PasswordHashHexa, SynAuth.crc32(aSessionKey.result, 0));
      if (SynAuth.fcallBack != null) { SynAuth.fcallBack(); }
    }
    
    SynAuth.SessionSign = function (url) {
      var Tix, Nonce, s, ss, d = new Date(); 
      Tix = d.getTime();
      if (SynAuth.fLastSessionTickCount == Tix) {Tix = Tix + 1;}
      SynAuth.fLastSessionTickCount = Tix;
      Nonce = Tix.toString(16);
      while(Nonce.length < 8) { Nonce = '0'+Nonce; }
      if (Nonce.length > 8) { Nonce = Nonce.slice(Nonce.length-8) }
      ss = SynAuth.crc32(url, SynAuth.crc32(Nonce, SynAuth.fSessionPrivateKey)).toString(16);
      while(ss.length < 8) { ss = '0'+ss; }
      s = url.indexOf("?") == -1 ? url+'?session_signature=' : url+'&session_signature=';
      return s + SynAuth.fSessionIDHexa8 + Nonce + ss;  
    }
    
    SynAuth.Logout = function (callback) {
      if (SynAuth.fSessionID == 0) {if (callback){callback();}} else {
        $.get("/"+SynAuth.fRoot+"/auth?UserName="+SynAuth.User+"&Session="+SynAuth.fSessionID, callback);
        SynAuth.fRoot = '';
        SynAuth.User = '';
        SynAuth.fSessionID = 0;
        SynAuth.fSessionIDHexa8 = "";
        SynAuth.fSessionPrivateKey = 0;
      }
    }
    
/*
  CRC-32 (as it is in ZMODEM) in table form

  Copyright (C) 1986 Gary S. Brown. You may use this program, or
  code or tables extracted from it, as desired without restriction.

  Modified by Anders Danielsson, February 5, 1989 and March 10, 2006.

  This is also known as FCS-32 (as it is in PPP), described in
  RFC-1662 by William Allen Simpson, see RFC-1662 for references.
*/
SynAuth.Crc32Tab = new Array( /* CRC polynomial 0xEDB88320 */
0x00000000,0x77073096,0xEE0E612C,0x990951BA,0x076DC419,0x706AF48F,0xE963A535,0x9E6495A3,
0x0EDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,0x09B64C2B,0x7EB17CBD,0xE7B82D07,0x90BF1D91,
0x1DB71064,0x6AB020F2,0xF3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0xF4D4B551,0x83D385C7,
0x136C9856,0x646BA8C0,0xFD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0xFA0F3D63,0x8D080DF5,
0x3B6E20C8,0x4C69105E,0xD56041E4,0xA2677172,0x3C03E4D1,0x4B04D447,0xD20D85FD,0xA50AB56B,
0x35B5A8FA,0x42B2986C,0xDBBBC9D6,0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,
0x26D930AC,0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423,0xCFBA9599,0xB8BDA50F,
0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,0x2F6F7C87,0x58684C11,0xC1611DAB,0xB6662D3D,
0x76DC4190,0x01DB7106,0x98D220BC,0xEFD5102A,0x71B18589,0x06B6B51F,0x9FBFE4A5,0xE8B8D433,
0x7807C9A2,0x0F00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,0x086D3D2D,0x91646C97,0xE6635C01,
0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0xF50FC457,
0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,
0x4DB26158,0x3AB551CE,0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7,0xA4D1C46D,0xD3D6F4FB,
0x4369E96A,0x346ED9FC,0xAD678846,0xDA60B8D0,0x44042D73,0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,
0x5005713C,0x270241AA,0xBE0B1010,0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,0xCE61E49F,
0x5EDEF90E,0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81,0xB7BD5C3B,0xC0BA6CAD,
0xEDB88320,0x9ABFB3B6,0x03B6E20C,0x74B1D29A,0xEAD54739,0x9DD277AF,0x04DB2615,0x73DC1683,
0xE3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0xE40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,
0xF00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0xF762575D,0x806567CB,0x196C3671,0x6E6B06E7,
0xFED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0xF9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,
0xD6D6A3E8,0xA1D1937E,0x38D8C2C4,0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,
0xD80D2BDA,0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55,0x316E8EEF,0x4669BE79,
0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,0xCC0C7795,0xBB0B4703,0x220216B9,0x5505262F,
0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,0x5CB36A04,0xC2D7FFA7,0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,
0x9B64C2B0,0xEC63F226,0x756AA39C,0x026D930A,0x9C0906A9,0xEB0E363F,0x72076785,0x05005713,
0x95BF4A82,0xE2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0xE5D5BE0D,0x7CDCEFB7,0x0BDBDF21,
0x86D3D2D4,0xF1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,
0x88085AE6,0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69,0x616BFFD3,0x166CCF45,
0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,0xA7672661,0xD06016F7,0x4969474D,0x3E6E77DB,
0xAED16A4A,0xD9D65ADC,0x40DF0B66,0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,0x47B2CF7F,0x30B5FFE9,
0xBDBDF21C,0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,0xCDD70693,0x54DE5729,0x23D967BF,
0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,0xB40BBE37,0xC30C8EA1,0x5A05DF1B,0x2D02EF8D);

SynAuth.Crc32Add = function (crc,c)
/*
  'crc' should be initialized to 0xFFFFFFFF and after the computation it should be
  complemented (inverted).

  CRC-32 is also known as FCS-32.

  If the FCS-32 is calculated over the data and over the complemented FCS-32, the
  result will always be 0xDEBB20E3 (without the complementation).
*/
{
 return SynAuth.Crc32Tab[(crc^c)&0xFF]^((crc>>8)&0xFFFFFF);
}

SynAuth.crc32 = function (str, crc)
{
  var n;
  var len=str.length;
  if (typeof(crc) == "undefined") { crc = 0xFFFFFFFF; }
  else {
    crc = crc^0xFFFFFFFF; //crc = ~crc;
    //remove sign to emulate delphi's 32bit cardinal
    if (crc < 0) {
      crc = 4294967296 + crc;
    }    
  }
  for (n=0; n<len; n++)
  {
    crc=SynAuth.Crc32Add(crc,str.charCodeAt(n));
  }
  crc = crc^0xFFFFFFFF; //crc = ~crc;
  if (crc < 0) {
    crc = 4294967296 + crc;
  }    
  return crc;
}
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
/*  SHA-256 implementation in JavaScript | (c) Chris Veness 2002-2010 | www.movable-type.co.uk    */
/*   - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html                             */
/*         http://csrc.nist.gov/groups/ST/toolkit/examples.html                                   */
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

var Sha256 = {};  // Sha256 namespace

/**
 * Generates SHA-256 hash of string
 *
 * @param {String} msg                String to be hashed
 * @param {Boolean} [utf8encode=true] Encode msg as UTF-8 before generating hash
 * @returns {String}                  Hash of msg as hex character string
 */
Sha256.hash = function(msg, utf8encode) {
    utf8encode =  (typeof utf8encode == 'undefined') ? true : utf8encode;
    
    // convert string to UTF-8, as SHA only deals with byte-streams
    if (utf8encode) msg = Utf8.encode(msg);
    
    // constants [§4.2.2]
    var K = [0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
             0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
             0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
             0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
             0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
             0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
             0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
             0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2];
    // initial hash value [§5.3.1]
    var H = [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];

    // PREPROCESSING 
 
    msg += String.fromCharCode(0x80);  // add trailing '1' bit (+ 0's padding) to string [§5.1.1]

    // convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
    var l = msg.length/4 + 2;  // length (in 32-bit integers) of msg + '1' + appended length
    var N = Math.ceil(l/16);   // number of 16-integer-blocks required to hold 'l' ints
    var M = new Array(N);

    for (var i=0; i<N; i++) {
        M[i] = new Array(16);
        for (var j=0; j<16; j++) {  // encode 4 chars per integer, big-endian encoding
            M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) | 
                      (msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
        } // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
    }
    // add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
    // note: most significant word would be (len-1)*8 >>> 32, but since JS converts
    // bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
    M[N-1][14] = ((msg.length-1)*8) / Math.pow(2, 32); M[N-1][14] = Math.floor(M[N-1][14])
    M[N-1][15] = ((msg.length-1)*8) & 0xffffffff;


    // HASH COMPUTATION [§6.1.2]

    var W = new Array(64); var a, b, c, d, e, f, g, h;
    for (var i=0; i<N; i++) {

        // 1 - prepare message schedule 'W'
        for (var t=0;  t<16; t++) W[t] = M[i][t];
        for (var t=16; t<64; t++) W[t] = (Sha256.sigma1(W[t-2]) + W[t-7] + Sha256.sigma0(W[t-15]) + W[t-16]) & 0xffffffff;

        // 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
        a = H[0]; b = H[1]; c = H[2]; d = H[3]; e = H[4]; f = H[5]; g = H[6]; h = H[7];

        // 3 - main loop (note 'addition modulo 2^32')
        for (var t=0; t<64; t++) {
            var T1 = h + Sha256.Sigma1(e) + Sha256.Ch(e, f, g) + K[t] + W[t];
            var T2 = Sha256.Sigma0(a) + Sha256.Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = (d + T1) & 0xffffffff;
            d = c;
            c = b;
            b = a;
            a = (T1 + T2) & 0xffffffff;
        }
         // 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
        H[0] = (H[0]+a) & 0xffffffff;
        H[1] = (H[1]+b) & 0xffffffff; 
        H[2] = (H[2]+c) & 0xffffffff; 
        H[3] = (H[3]+d) & 0xffffffff; 
        H[4] = (H[4]+e) & 0xffffffff;
        H[5] = (H[5]+f) & 0xffffffff;
        H[6] = (H[6]+g) & 0xffffffff; 
        H[7] = (H[7]+h) & 0xffffffff; 
    }

    return Sha256.toHexStr(H[0]) + Sha256.toHexStr(H[1]) + Sha256.toHexStr(H[2]) + Sha256.toHexStr(H[3]) + 
           Sha256.toHexStr(H[4]) + Sha256.toHexStr(H[5]) + Sha256.toHexStr(H[6]) + Sha256.toHexStr(H[7]);
}

Sha256.ROTR = function(n, x) { return (x >>> n) | (x << (32-n)); }
Sha256.Sigma0 = function(x) { return Sha256.ROTR(2,  x) ^ Sha256.ROTR(13, x) ^ Sha256.ROTR(22, x); }
Sha256.Sigma1 = function(x) { return Sha256.ROTR(6,  x) ^ Sha256.ROTR(11, x) ^ Sha256.ROTR(25, x); }
Sha256.sigma0 = function(x) { return Sha256.ROTR(7,  x) ^ Sha256.ROTR(18, x) ^ (x>>>3);  }
Sha256.sigma1 = function(x) { return Sha256.ROTR(17, x) ^ Sha256.ROTR(19, x) ^ (x>>>10); }
Sha256.Ch = function(x, y, z)  { return (x & y) ^ (~x & z); }
Sha256.Maj = function(x, y, z) { return (x & y) ^ (x & z) ^ (y & z); }

//
// hexadecimal representation of a number 
//   (note toString(16) is implementation-dependant, and  
//   in IE returns signed numbers when used on full words)
//
Sha256.toHexStr = function(n) {
  var s="", v;
  for (var i=7; i>=0; i--) { v = (n>>>(i*4)) & 0xf; s += v.toString(16); }
  return s;
}


/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
/*  Utf8 class: encode / decode between multi-byte Unicode characters and UTF-8 multiple          */
/*              single-byte character encoding (c) Chris Veness 2002-2010                         */
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

var Utf8 = {};  // Utf8 namespace

/**
 * Encode multi-byte Unicode string into utf-8 multiple single-byte characters 
 * (BMP / basic multilingual plane only)
 *
 * Chars in range U+0080 - U+07FF are encoded in 2 chars, U+0800 - U+FFFF in 3 chars
 *
 * @param {String} strUni Unicode string to be encoded as UTF-8
 * @returns {String} encoded string
 */
Utf8.encode = function(strUni) {
  // use regular expressions & String.replace callback function for better efficiency 
  // than procedural approaches
  var strUtf = strUni.replace(
      /[\u0080-\u07ff]/g,  // U+0080 - U+07FF => 2 bytes 110yyyyy, 10zzzzzz
      function(c) { 
        var cc = c.charCodeAt(0);
        return String.fromCharCode(0xc0 | cc>>6, 0x80 | cc&0x3f); }
    );
  strUtf = strUtf.replace(
      /[\u0800-\uffff]/g,  // U+0800 - U+FFFF => 3 bytes 1110xxxx, 10yyyyyy, 10zzzzzz
      function(c) { 
        var cc = c.charCodeAt(0); 
        return String.fromCharCode(0xe0 | cc>>12, 0x80 | cc>>6&0x3F, 0x80 | cc&0x3f); }
    );
  return strUtf;
}

/**
 * Decode utf-8 encoded string back into multi-byte Unicode characters
 *
 * @param {String} strUtf UTF-8 string to be decoded back to Unicode
 * @returns {String} decoded string
 */
Utf8.decode = function(strUtf) {
  // note: decode 3-byte chars first as decoded 2-byte strings could appear to be 3-byte char!
  var strUni = strUtf.replace(
      /[\u00e0-\u00ef][\u0080-\u00bf][\u0080-\u00bf]/g,  // 3-byte chars
      function(c) {  // (note parentheses for precence)
        var cc = ((c.charCodeAt(0)&0x0f)<<12) | ((c.charCodeAt(1)&0x3f)<<6) | ( c.charCodeAt(2)&0x3f); 
        return String.fromCharCode(cc); }
    );
  strUni = strUni.replace(
      /[\u00c0-\u00df][\u0080-\u00bf]/g,                 // 2-byte chars
      function(c) {  // (note parentheses for precence)
        var cc = (c.charCodeAt(0)&0x1f)<<6 | c.charCodeAt(1)&0x3f;
        return String.fromCharCode(cc); }
    );
  return strUni;
}

/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

Offline

#16 2011-12-04 11:34:23

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

Whaooo!

This is a very nice piece of code.

The whole authentication process is included in just one JavaScript file, including CRC32 and SHA256.

Thanks a lot for sharing this.
smile

Offline

#17 2011-12-11 10:02:29

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

esmondb wrote:

I assume there's no point adding salt to the password hash in javascript as it would be plainly visible.

Adding a salt at the beginning of a SHA-256 hashed expression is a common way of increasing security.
There are several reasons - see http://en.wikipedia.org/wiki/Salt_(cryptography)
Of course, the best is to use a nonce, but a salt does make sense here. If not mandatory, it won't hurt.

Offline

#18 2012-02-16 20:38:28

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

As stated in the project road map, I've added a generic JSON error message mechanism within the framework (including error code as integer and text, with custom error messages in RecordCanBeUpdated method and also in TSQLRestServerCallBackParams).

It follows more or less the pattern proposed above by Ranger X - see http://synopse.info/forum/viewtopic.php?pid=3003#p3003 - but with some enhancements: it is more generic, and is available also in RESTful services (as it will be with interface-based service implementation).
Thanks for the suggestion!

See http://synopse.info/fossil/info/cd4268f42b

Offline

#19 2013-10-21 12:40:04

jvillasantegomez
Member
From: Ciudad Habana. Cuba.
Registered: 2013-10-21
Posts: 54

Re: Javascript authentication

Hi

I'm using the code from RangerX to do the javascript authentication. However, the code doesn't seem to work as expected.

After valid authentication, some calls to the underlying service pass throug and some return 403 - FORBIDDEN. This is a very weird behaivour.

I thing that the problem is in the Nonce but I don't understand it well even after reading the Security chapter on the SAD.

If I change the authentication mode to TSQLRestServerAuthenticationNone all works perfectly, but when i go with TSQLRestServerAuthenticationDefault the behaviour is not as expected.

Can anyone please help?

Offline

#20 2013-10-24 17:02:12

jvillasantegomez
Member
From: Ciudad Habana. Cuba.
Registered: 2013-10-21
Posts: 54

Re: Javascript authentication

Never mind.

I found that the problem with RangerX code was the crc32 function (not really his) but when I changed the function to the implementation found in https://github.com/h2non/jsHashes everything works as expected.

Offline

#21 2013-10-24 19:47:15

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,534
Website

Re: Javascript authentication

Yes. It's happens - JavaScript is young language. The most "classic" security JS lib is here - http://crypto.stanford.edu/sjcl/ (but w/o MD5)
I'm use this lib's http://pajhome.org.uk/crypt/md5/

Offline

#22 2013-10-25 13:53:02

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

I suspect you need to force unsigned integers (i.e. Delphi "cardinal" type) for the calculation.
In JavaScript, it is done by using the " >>> 0 " operator.

In fact, this is what we did when working with SmartMobileStudio.
See http://blog.synopse.info/post/2012/04/1 … JavaScript
And our code creates on-the-fly the fixed constant table, so code is smaller, and also faster, than using a constant string in hexadecimal for crc32.

Offline

#23 2014-01-16 21:01:24

neocoder
Member
Registered: 2014-01-16
Posts: 1

Re: Javascript authentication

Here's a proper crc32 function:

    var makeCRCTable = function(){
        var c;
        var crcTable = [];
        for(var n =0; n < 256; n++){
            c = n;
            for(var k =0; k < 8; k++){
                c = ((c&1) ? (0xEDB88320 ^ (c >>> 1)) : (c >>> 1));
            }
            crcTable[n] = c;
        }
        return crcTable;
    }
    var crcTable = makeCRCTable();

    var crc32 = function(str, init) {
        var crc = (typeof init === 'undefined') ? 0 ^ (-1) : init^0xFFFFFFFF;
    
        for (var i = 0; i < str.length; i++ ) {
            crc = (crc >>> 8) ^ crcTable[(crc ^ str.charCodeAt(i)) & 0xFF];
        }
    
        return (crc ^ (-1)) >>> 0;
    };

Offline

#24 2014-01-17 17:38:44

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

Thanks for the input.

smile

Offline

#25 2014-05-02 22:59:13

moctes
Member
From: Mexico
Registered: 2013-05-11
Posts: 129

Re: Javascript authentication

Hi to all,

I need some help with this, currently I'm working on a delphi project (mORMot server) on which there will be a thirdparty consuming services from a Javascript application, I am trying to give him a sample of authentication based on Esmondb posted code (well almost :-) the starting "/"+ has been removed from the $.get ), everything seems to be working but I'm not having success on getting a session, after debugging the following function on mORMot.pas :

function TSQLRestServerAuthenticationDefault.Auth(...
Begin
  .
  .
        if not CheckPassword(Ctxt,User,aClientNonce,aPassWord) then
        exit;
  .
  .
End;

All boils down to the following check:

  result := (aPassWord=SHA256(fServer.Model.Root+Nonce(false)+aSalt)) or
            // if current nonce failed, tries with previous 5 minutes nonce
            (aPassWord=SHA256(fServer.Model.Root+Nonce(true)+aSalt));

Neither of them are giving the same Javascript generated password although after reading mORMot code and docs seems like if is being generated as is  required by the mORMot framework.

For testing purposes I modified the sample 14 - Interface based services to use:

aServer.AuthenticationRegister(TSQLRestServerAuthenticationDefault);

Tests are being made on Google Chrome console using the following line:

  SynAuth.LogIn("http://localhost:888/root", "User", "synopse")

and the last GET request sent to the server is something like this :

http://localhost:888/root/auth?UserName=User&Password=bd0ec39f2fba41a0b1dc40677e122cd8c03576c4445dcedc775b5d1605b3d60b&ClientNonce=55c6610c406e3aa72511df8ef24ee1c42b0490ff233385d8619d239f61c92d3c

Result :

{
"ErrorCode":400,
"ErrorText":"Bad Request"
}

Before making further research I would like to know If someone has some tested Javascript code sample which can succesfully authenticate with mORMot default authentication schema that would be so kind to share, I'm really having a hard time with it so any help would be much appreciated.

Regards,
Mocte

Last edited by moctes (2014-05-03 01:55:17)

Offline

#26 2014-05-03 08:20:58

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

Re: Javascript authentication

From what I remember I added the starting "/" to the url root as it messed up the hash if included.

Offline

#27 2014-05-03 17:55:40

moctes
Member
From: Mexico
Registered: 2013-05-11
Posts: 129

Re: Javascript authentication

Thanks for answering esmondb, but adding "/" causes errors like:

net::ERR_FILE_NOT_FOUND

Trying RangerX code seems like I can go farther, at least the passwordcheck is successful; I'll keep posting my findings.

Offline

#28 2014-09-10 10:31:22

JerryC_ph
Member
Registered: 2013-03-11
Posts: 16

Re: Javascript authentication

Hi moctes,

I've modified esmondb's code by adding a field to SynAuth:

fServerUrl : "",

Change the Login definition to:

SynAuth.LogIn = function (serverUrl, root, username, password, callback, failCallback)

Add this line in the Login function:

SynAuth.fServerUrl = serverUrl;

The url parameter for the $.get and the ajax calls should now start with:
           SynAuth.fServerUrl+"/"+ SynAuth.fRoot

Now you can call

SynAuth.LogIn("http://localhost:888", "root", "User", "synopse").

I believe this modification is necessary:
    1.  to allow the code to work across domains and
    2.  not mess up with the hash.

Last edited by JerryC_ph (2014-09-10 10:37:02)

Offline

#29 2014-09-10 12:17:38

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

Has anyone some working JavaScript code to publish, and working with the latest version of mORMot?

Here at Synopse, we rely on SmartMobileStudio clients, so we do not need this code, but it may help other users!

cool

Offline

#30 2014-09-10 20:56:31

moctes
Member
From: Mexico
Registered: 2013-05-11
Posts: 129

Re: Javascript authentication

JerryC_ph wrote:

Hi moctes,

I've modified esmondb's code by adding a field to SynAuth:
.
.
.

Hi Jerry,

I used RangerX code without problems on that occasion and I have been using it on production since then but I will make some time to check esmondb's with your suggested tweaks.


Regards.

Offline

#31 2014-09-14 22:36:30

warleyalex
Member
From: Sete Lagoas-MG, Brasil
Registered: 2013-01-20
Posts: 250

Re: Javascript authentication

moctes wrote:

[I used RangerX code without problems on that occasion and I have been using it on production.

Can you confirm that RangerX code is actually buggy. It works fine, it adds the token to all requests, and you get the expected responses. Take a look:

1st request
http://localhost:888/service/Calculator.Add?n1=2&n2=4&session_signature=003d064c007646c547c31ae1&session_signature=003d064c007646c58992cac3&session_signature=003d064c007646c582c494f7

--> {"result":[6]}

2nd request
http://localhost:888/service/Calculator.Add?n1=2&n2=4&session_signature=003d064c007647289e6c71d6&session_signature=003d064c0076472843503d24&session_signature=003d064c007647289ea9d2ff&session_signature=003d064c007647284c67a6f5

--> {"result":[6]}

10th request
http://localhost:888/service/Calculator.Add?n1=2&n2=4&session_signature=003d064c007647e465a27b6e&session_signature=003d064c007647e4b7c7fa93&session_signature=003d064c007647e478819bc0&session_signature=003d064c007647e4ddbfd67e&session_signature=003d064c007647e46e9355ac&session_signature=003d064c007647e485cafaff&session_signature=003d064c007647e4f27da9cb&session_signature=003d064c007647e4d1bc5f3f&session_signature=003d064c007647e4cfb9544e&session_signature=003d064c007647e45b847e2e&session_signature=003d064c007647e4d630d140&session_signature=003d064c007647e44562a5b9

--> {"result":[6]}


The HTTP protocol does not place any a priori limit on the length of a URI, but the HTTP clients (e.g. browsers) may have their own limits.

Offline

#32 2014-09-15 06:42:26

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

Re: Javascript authentication

Here's a go at a typescript version. It's very much an experiment and untested but could be a good starting point for someone.

I've created a sample web page which emulates the sample 4 client. It's a bit of a hack as there isn't any client side ORM but basic functions work.

It uses a 'singleton' design which made it simpler to write but restricts it to one active login at a time - there's probably a better way. On the plus

side it has no JavaScript library dependencies. Any feedback welcome.

mORMotClient.ts

module mORMot {

  function getXhr(): XMLHttpRequest {
    for(var i=0; i<4; i++){
      try{
        return i ?
          new ActiveXObject([, "Msxml2", "Msxml3", "Microsoft"][i] + ".XMLHTTP")
          : new XMLHttpRequest;
      }
      catch(e){
        // ignore when it fails.
      }
    }
  }

  export interface logInOutCallback {
    (success: boolean, data?: string): void;
  }

  export interface onServerRespose {
    (HTTPstatus: number, data?:{} ) : void;
  }

  export class Client {
    private static _instance: Client; //singleton
    private static allowInstantiation:Boolean;
    public static getInstance():Client{
      if (Client._instance == null) {
        Client.allowInstantiation = true;
        Client._instance = new Client();
        Client.allowInstantiation = false;
      }
      return Client._instance;
    }
    private User : string = "";
    private Root : string = "";
    private ServerURL : string = "";
    private loggedIn : boolean = false;
    private SessionID : number = 0;
    private SessionIDHexa8 : string = "";
    private SessionPrivateKey : number = 0;
    private SessionTickCountOffset : number = 0;
    private PasswordHashHexa : string = "";
    private ServerTimeStampOffset : number = 0;
    private LoginCallback : logInOutCallback;
    private LogoutCallback : logInOutCallback;
    constructor() {
      if (!Client.allowInstantiation) {
        throw new Error("Error: Instantiation failed: Use mORMot.Client.getInstance() instead of new.");
      }
    }

    //
    //   hexadecimal representation of a number
    //   (note toString(16) is implementation-dependant, and
    //   in IE returns signed numbers when used on full words)
    //
    private Sha256toHexStr(n: number): string{
      var s="", v, i;
      for (i=7; i>=0; i = i -1) { v = (n>>>(i*4)) & 0xf; s += v.toString(16); }
      return s;
    }

    /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
    /*  Utf8 class: encode / decode between multi-byte Unicode characters and UTF-8 multiple          */
    /*              single-byte character encoding (c) Chris Veness 2002-2010                         */
    /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

    //var Utf8 = {};  // Utf8 namespace

    /**
     * Encode multi-byte Unicode string into utf-8 multiple single-byte characters
     * (BMP / basic multilingual plane only)
     *
     * Chars in range U+0080 - U+07FF are encoded in 2 chars, U+0800 - U+FFFF in 3 chars
     *
     * @param {String} strUni Unicode string to be encoded as UTF-8
     * @returns {String} encoded string
     */
    private Utf8encode(strUni: string): string {
      // use regular expressions & String.replace callback function for better efficiency
      // than procedural approaches
      var strUtf = strUni.replace(
          /[\u0080-\u07ff]/g,  // U+0080 - U+07FF => 2 bytes 110yyyyy, 10zzzzzz
          function(c) {
            var cc = c.charCodeAt(0);
            return String.fromCharCode(0xc0 | cc>>6, 0x80 | cc&0x3f); }
        );
      strUtf = strUtf.replace(
          /[\u0800-\uffff]/g,  // U+0800 - U+FFFF => 3 bytes 1110xxxx, 10yyyyyy, 10zzzzzz
          function(c) {
            var cc = c.charCodeAt(0);
            return String.fromCharCode(0xe0 | cc>>12, 0x80 | cc>>6&0x3F, 0x80 | cc&0x3f); }
        );
      return strUtf;
    }

    /**
     * Decode utf-8 encoded string back into multi-byte Unicode characters
     *
     * @param {String} strUtf UTF-8 string to be decoded back to Unicode
     * @returns {String} decoded string
     */
    private Utf8decode(strUtf: string): string {
      // note: decode 3-byte chars first as decoded 2-byte strings could appear to be 3-byte char!
      var strUni = strUtf.replace(
          /[\u00e0-\u00ef][\u0080-\u00bf][\u0080-\u00bf]/g,  // 3-byte chars
          function(c) {  // (note parentheses for precence)
            var cc = ((c.charCodeAt(0)&0x0f)<<12) | ((c.charCodeAt(1)&0x3f)<<6) | ( c.charCodeAt(2)&0x3f);
            return String.fromCharCode(cc); }
        );
      strUni = strUni.replace(
          /[\u00c0-\u00df][\u0080-\u00bf]/g,                 // 2-byte chars
          function(c) {  // (note parentheses for precence)
            var cc = (c.charCodeAt(0)&0x1f)<<6 | c.charCodeAt(1)&0x3f;
            return String.fromCharCode(cc); }
        );
      return strUni;
    }

    private Sha256ROTR(n, x) { return (x >>> n) | (x << (32-n)); }
    private Sha256Sigma0(x) { return this.Sha256ROTR(2,  x) ^ this.Sha256ROTR(13, x) ^ this.Sha256ROTR(22, x); }
    private Sha256Sigma1(x) { return this.Sha256ROTR(6,  x) ^ this.Sha256ROTR(11, x) ^ this.Sha256ROTR(25, x); }
    private Sha256sigma0(x) { return this.Sha256ROTR(7,  x) ^ this.Sha256ROTR(18, x) ^ (x>>>3);  }
    private Sha256sigma1(x) { return this.Sha256ROTR(17, x) ^ this.Sha256ROTR(19, x) ^ (x>>>10); }
    private Sha256Ch(x, y, z)  { return (x & y) ^ (~x & z); }
    private Sha256Maj(x, y, z) { return (x & y) ^ (x & z) ^ (y & z); }

    private Sha256hash(msg: string, utf8encode?: boolean): string {
      var K,H,l,N,M,i,j,W,a, b, c, d, e, f, g, h, t, T1, T2;
      utf8encode =  (typeof utf8encode == 'undefined') ? true : utf8encode;
      // convert string to UTF-8, as SHA only deals with byte-streams
      if (utf8encode) {msg = this.Utf8encode(msg);}
      // constants [§4.2.2]
      K = [0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
           0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
           0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
           0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
           0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
           0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
           0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
           0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2];
      // initial hash value [§5.3.1]
      H = [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];

      // PREPROCESSING      
      msg += String.fromCharCode(0x80);  // add trailing '1' bit (+ 0's padding) to string [§5.1.1]

      // convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
      l = msg.length/4 + 2;  // length (in 32-bit integers) of msg + ‘1’ + appended length
      N = Math.ceil(l/16);   // number of 16-integer-blocks required to hold 'l' ints
      M = [N];//new Array(N);

      for (i=0; i<N; i = i+1) {
          M[i] = new Array(16);
          for (j=0; j<16; j = j +1) {  // encode 4 chars per integer, big-endian encoding
              M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) |
                        (msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
          } // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
      }
      // add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
      // note: most significant word would be (len-1)*8 >>> 32, but since JS converts
      // bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
      M[N-1][14] = ((msg.length-1)*8) / Math.pow(2, 32); M[N-1][14] = Math.floor(M[N-1][14]);
      M[N-1][15] = (((msg.length-1)*8) & 0xffffffff);

      // HASH COMPUTATION [§6.1.2]

      W = new Array(64);
      for (i=0; i<N; i = i+1) {

        // 1 - prepare message schedule 'W'
        for (t=0;  t<16; t = t+1) {W[t] = M[i][t];}
        for (t=16; t<64; t = t+1) {W[t] = (this.Sha256sigma1(W[t-2]) + W[t-7] + this.Sha256sigma0(W[t-15]) + W[t-16]) & 0xffffffff;}

        // 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
        a = H[0]; b = H[1]; c = H[2]; d = H[3]; e = H[4]; f = H[5]; g = H[6]; h = H[7];

        // 3 - main loop (note 'addition modulo 2^32')
        for (t=0; t<64; t = t+1) {
          T1 = h + this.Sha256Sigma1(e) + this.Sha256Ch(e, f, g) + K[t] + W[t];
          T2 = this.Sha256Sigma0(a) + this.Sha256Maj(a, b, c);
          h = g;
          g = f;
          f = e;
          e = (d + T1) & 0xffffffff;
          d = c;
          c = b;
          b = a;
          a = (T1 + T2) & 0xffffffff;
        }
         // 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
        H[0] = (H[0]+a) & 0xffffffff;
        H[1] = (H[1]+b) & 0xffffffff;
        H[2] = (H[2]+c) & 0xffffffff;
        H[3] = (H[3]+d) & 0xffffffff;
        H[4] = (H[4]+e) & 0xffffffff;
        H[5] = (H[5]+f) & 0xffffffff;
        H[6] = (H[6]+g) & 0xffffffff;
        H[7] = (H[7]+h) & 0xffffffff;
      }

      return this.Sha256toHexStr(H[0]) + this.Sha256toHexStr(H[1]) + this.Sha256toHexStr(H[2]) + this.Sha256toHexStr(H[3]) +
             this.Sha256toHexStr(H[4]) + this.Sha256toHexStr(H[5]) + this.Sha256toHexStr(H[6]) + this.Sha256toHexStr(H[7]);
    }

    /*
      CRC-32 (as it is in ZMODEM) in table form

      Copyright (C) 1986 Gary S. Brown. You may use this program, or
      code or tables extracted from it, as desired without restriction.

      Modified by Anders Danielsson, February 5, 1989 and March 10, 2006.

      This is also known as FCS-32 (as it is in PPP), described in
      RFC-1662 by William Allen Simpson, see RFC-1662 for references.
    */
    private Crc32Tab = [ /* CRC polynomial 0xEDB88320 */
    0x00000000,0x77073096,0xEE0E612C,0x990951BA,0x076DC419,0x706AF48F,0xE963A535,0x9E6495A3,
    0x0EDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,0x09B64C2B,0x7EB17CBD,0xE7B82D07,0x90BF1D91,
    0x1DB71064,0x6AB020F2,0xF3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0xF4D4B551,0x83D385C7,
    0x136C9856,0x646BA8C0,0xFD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0xFA0F3D63,0x8D080DF5,
    0x3B6E20C8,0x4C69105E,0xD56041E4,0xA2677172,0x3C03E4D1,0x4B04D447,0xD20D85FD,0xA50AB56B,
    0x35B5A8FA,0x42B2986C,0xDBBBC9D6,0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,
    0x26D930AC,0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423,0xCFBA9599,0xB8BDA50F,
    0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,0x2F6F7C87,0x58684C11,0xC1611DAB,0xB6662D3D,
    0x76DC4190,0x01DB7106,0x98D220BC,0xEFD5102A,0x71B18589,0x06B6B51F,0x9FBFE4A5,0xE8B8D433,
    0x7807C9A2,0x0F00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,0x086D3D2D,0x91646C97,0xE6635C01,
    0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0xF50FC457,
    0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,
    0x4DB26158,0x3AB551CE,0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7,0xA4D1C46D,0xD3D6F4FB,
    0x4369E96A,0x346ED9FC,0xAD678846,0xDA60B8D0,0x44042D73,0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,
    0x5005713C,0x270241AA,0xBE0B1010,0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,0xCE61E49F,
    0x5EDEF90E,0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81,0xB7BD5C3B,0xC0BA6CAD,
    0xEDB88320,0x9ABFB3B6,0x03B6E20C,0x74B1D29A,0xEAD54739,0x9DD277AF,0x04DB2615,0x73DC1683,
    0xE3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0xE40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,
    0xF00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0xF762575D,0x806567CB,0x196C3671,0x6E6B06E7,
    0xFED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0xF9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,
    0xD6D6A3E8,0xA1D1937E,0x38D8C2C4,0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,
    0xD80D2BDA,0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55,0x316E8EEF,0x4669BE79,
    0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,0xCC0C7795,0xBB0B4703,0x220216B9,0x5505262F,
    0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,0x5CB36A04,0xC2D7FFA7,0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,
    0x9B64C2B0,0xEC63F226,0x756AA39C,0x026D930A,0x9C0906A9,0xEB0E363F,0x72076785,0x05005713,
    0x95BF4A82,0xE2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0xE5D5BE0D,0x7CDCEFB7,0x0BDBDF21,
    0x86D3D2D4,0xF1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,
    0x88085AE6,0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69,0x616BFFD3,0x166CCF45,
    0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,0xA7672661,0xD06016F7,0x4969474D,0x3E6E77DB,
    0xAED16A4A,0xD9D65ADC,0x40DF0B66,0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,0x47B2CF7F,0x30B5FFE9,
    0xBDBDF21C,0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,0xCDD70693,0x54DE5729,0x23D967BF,
    0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,0xB40BBE37,0xC30C8EA1,0x5A05DF1B,0x2D02EF8D];

    private Crc32Add(crc,c)
    /*
      'crc' should be initialized to 0xFFFFFFFF and after the computation it should be
      complemented (inverted).

      CRC-32 is also known as FCS-32.

      If the FCS-32 is calculated over the data and over the complemented FCS-32, the
      result will always be 0xDEBB20E3 (without the complementation).
    */
    {
      return Client._instance.Crc32Tab[(crc^c)&0xFF]^((crc>>8)&0xFFFFFF);
    }

    private crc32(str, crc)
    {
      var n, len;
      len = str.length;
      //var crc;
      if (typeof(crc) == "undefined") { crc = 0xFFFFFFFF; }
      else {
        crc = crc^0xFFFFFFFF; //crc = ~crc;
        if (crc < 0) {
          crc = 4294967296 + crc;
        } 
      }
      //crc=0xFFFFFFFF;
      for (n=0; n<len; n = n+1) {
        crc = Client._instance.Crc32Add(crc,str.charCodeAt(n));
      }
      crc = crc^0xFFFFFFFF; //crc = ~crc;
      if (crc < 0) {
        crc = 4294967296 + crc;
      } 
      return crc;//^0xFFFFFFFF;
    }

    public logIn(url: string, root: string, username: string, password: string, callbackFunc?: logInOutCallback) {
      var SynAuth = this, d = new Date();   
      SynAuth.ServerURL = url;
      SynAuth.Root = root;
      SynAuth.User = username;
      SynAuth.PasswordHashHexa = SynAuth.Sha256hash("salt" + password);
      SynAuth.SessionTickCountOffset = d.getTime();
      if (callbackFunc) { SynAuth.LoginCallback = callbackFunc; }
      var XHR: XMLHttpRequest = getXhr();
      XHR.open("GET", SynAuth.ServerURL + "/" + SynAuth.Root + "/TimeStamp");
      XHR.onreadystatechange = SynAuth.onGotTimestamp;
      XHR.send(null);
    }

    public logout(callbackFunc?: logInOutCallback): void {
      if (callbackFunc) { Client._instance.LogoutCallback = callbackFunc; }
      var XHR: XMLHttpRequest = getXhr();
      XHR.open("GET", Client._instance.ServerURL +"/"+ Client._instance.signUrl(Client._instance.Root+"/Auth?UserName="+Client._instance.User

+"&Session="+Client._instance.SessionID));
      //XHR.onreadystatechange = Client._instance.onLogout;
      XHR.send(null);
    }

    public logoutSync(): boolean {
      var XHR: XMLHttpRequest = getXhr();
      XHR.open("GET", Client._instance.ServerURL +"/"+ Client._instance.signUrl(Client._instance.Root+"/Auth?UserName="+Client._instance.User

+"&Session="+Client._instance.SessionID), false);
      XHR.send(null);
      var success: boolean = (XHR.status >= 200 && XHR.status < 300)
      if (success) {
        Client._instance.ServerURL = '';
        Client._instance.Root = '';
      	Client._instance.User = '';
        Client._instance.SessionID = 0;
        Client._instance.SessionIDHexa8 = '';
        Client._instance.SessionPrivateKey = 0;
        Client._instance.LoginCallback = null;
        Client._instance.LogoutCallback = null;
      }
      return success;
    }

    public signUrl(url: string): string {
      if (Client._instance.loggedIn === true) {
        var Tix, Nonce, s, ss, d = new Date();
        Tix = d.getTime() - Client._instance.SessionTickCountOffset;
        Nonce = Tix.toString(16);
        while(Nonce.length < 8) { Nonce = '0'+Nonce; }
        if (Nonce.length > 8) { Nonce = Nonce.slice(Nonce.length-8); }
        ss = Client._instance.crc32(url, Client._instance.crc32(Nonce, Client._instance.SessionPrivateKey)).toString(16);
        while(ss.length < 8) { ss = '0'+ss; }
        s = url.indexOf("?") === -1 ? url+'?session_signature=' : url+'&session_signature=';
        return s + Client._instance.SessionIDHexa8 + Nonce + ss;
      } else {
        return url;
      }
    }

    public retrieveRecordWhere(table:string, select: string, where: string, callback?: onServerRespose) {
      var XHR: XMLHttpRequest = getXhr(),
          s: string = Client._instance.ServerURL+'/'+Client._instance.signUrl(Client._instance.Root + '/' + table +
                    '?select=' + select + '&where=' +where+'&limit=1');
      XHR.onreadystatechange = Client._instance.onRetrieveRecordCallback;
      XHR.open("GET", s);
      XHR.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
      XHR.send(null);
    }

    public retrieveRecord(table:string, id:number, forUpdate:boolean) {
      var XHR: XMLHttpRequest = getXhr();
      XHR.onreadystatechange = Client._instance.onRetrieveRecordCallback;
      var s: string = Client._instance.ServerURL + "/" + Client._instance.signUrl(Client._instance.Root + "/" + table + "/" + id);
      if (!forUpdate) {
        XHR.open("GET", s);
      } else {
        XHR.open("LOCK", s);
      }
      XHR.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
      XHR.send(null);
    }

    public addRecord(table:string, record) {
      var XHR: XMLHttpRequest = getXhr();
      var s: string = Client._instance.ServerURL+"/"+Client._instance.signUrl(Client._instance.Root + "/" + table);
      XHR.onreadystatechange = Client._instance.onAddRecordCallback;
      XHR.open("POST", s);
      XHR.send(JSON.stringify(record || {}));
    }

    public unlockRecord(table: string, id: number) {
      //UNLOCK
      var s: string = Client._instance.ServerURL+"/"+Client._instance.signUrl(Client._instance.Root + "/" + table + "/" + id);
      var XHR: XMLHttpRequest = getXhr();
      XHR.open("UNLOCK", "/" + s);
      XHR.onreadystatechange = Client._instance.onUnlockRecordCallback;
      XHR.send(null);
    }

    //Login callbacks
    private onGotTimestamp = function(ev: Event) {
      if (this.readyState == 4) {
        if (this.status !== 200) {
          if(Client._instance.LoginCallback instanceof Function) {
              Client._instance.LoginCallback(false, this.status + " " + this.statusText);
          }
        } else {
          var s:string = '', d = new Date(), clientTime: string = '';
          var timestamp: number = parseInt(this.responseText, 10);
          s = d.getFullYear().toString(2);
          while(s.length < 13) { s = '0'+s;}
          clientTime = s;
          s = d.getMonth().toString(2);
          while(s.length < 4) { s = '0'+s;}
          clientTime = clientTime +s;
          s = (d.getDate()-1).toString(2);
          while(s.length < 5) { s = '0'+s;}
          clientTime = clientTime +s;
          s = d.getHours().toString(2);
          while(s.length < 5) { s = '0'+s;}
          clientTime = clientTime +s;
          s = d.getMinutes().toString(2);
          while(s.length < 6) { s = '0'+s;}
          clientTime = clientTime +s;
          s = d.getSeconds().toString(2);
          while(s.length < 6) { s = '0'+s;}
          clientTime = clientTime +s;
          Client._instance.ServerTimeStampOffset = (timestamp - parseInt(clientTime,2));
          var XHR: XMLHttpRequest = getXhr();//new XMLHttpRequest();
          XHR.open("GET", Client._instance.ServerURL + "/" + Client._instance.Root + "/Auth?UserName="+Client._instance.User, true);
          XHR.onreadystatechange = Client._instance.onGotNonce;
          XHR.send(null);
          XHR.ontimeout = function () { alert("timeout!");}
        }
      }
    }

    private onGotNonce = function(ev: Event) {
      if (this.readyState == 4) {
        if (this.status !== 200) {
          if(Client._instance.LoginCallback instanceof Function) {
            Client._instance.LoginCallback(false, this.status + " " + this.statusText);
          }
        } else {
          //create client nonce
          var aClientNonce = "", s: string = "", d = new Date();
          aClientNonce = d.getFullYear().toString();
          s = d.getMonth().toString();
          if (s.length === 1) { s = '0'+s;}
          aClientNonce = aClientNonce + '-' + s;
          s = d.getDate().toString();
          if (s.length === 1) { s = '0'+s;}
          aClientNonce = aClientNonce + '-' + s + ' ';
          s = d.getHours().toString();
          if (s.length === 1) { s = '0'+s;}
          aClientNonce = aClientNonce + s;
          s = d.getMinutes().toString();
          if (s.length === 1) { s = '0'+s;}
          aClientNonce = aClientNonce + ':' + s;
          s = d.getSeconds().toString();
          if (s.length === 1) { s = '0'+s;}
          aClientNonce = aClientNonce + ':' + s;
          aClientNonce = Client._instance.Sha256hash(aClientNonce);
          var data = JSON.parse(this.responseText);
          s = Client._instance.ServerURL + "/"+Client._instance.Root+"/Auth?UserName="+Client._instance.User+"&Password=" + 
              Client._instance.Sha256hash(Client._instance.Root+data.result+aClientNonce+Client._instance.User+Client._instance.PasswordHashHexa) + 
              "&ClientNonce="+aClientNonce;
          var XHR: XMLHttpRequest = getXhr();
          XHR.open("GET", s, true);
          XHR.onreadystatechange = Client._instance.onGotSession;
          XHR.send(null);
        }
      }
    }

    private onGotSession = function(ev: Event) {
      if (this.readyState == 4) {
        if (this.status !== 200) {
          if(Client._instance.LoginCallback instanceof Function) {
            Client._instance.LoginCallback(false, this.status + " " + this.statusText);
          }
        } else {
          var data = JSON.parse(this.responseText);
          var i = data.result.indexOf("+");
          Client._instance.SessionID = parseInt(data.result.slice(0, i), 10);
          Client._instance.SessionIDHexa8 = Client._instance.SessionID.toString(16);
          while(Client._instance.SessionIDHexa8.length < 8) { Client._instance.SessionIDHexa8 = '0'+Client._instance.SessionIDHexa8; }
          Client._instance.loggedIn = true;
          Client._instance.SessionPrivateKey = Client._instance.crc32(Client._instance.PasswordHashHexa, Client._instance.crc32(data.result, 0));
          if(Client._instance.LoginCallback instanceof Function) {
            Client._instance.LoginCallback(true, Client._instance.User);
          }
        }
      }
    }

    private onLogout = function (ev: Event) {
      if (this.readyState == 4) {
        var success: boolean = (this.status >= 200 && this.status < 300);
        if (Client._instance.LogoutCallback instanceof Function) {
          Client._instance.LogoutCallback(success, "");
        }
        if (success) {
          Client._instance.ServerURL = '';
          Client._instance.Root = '';
          Client._instance.User = '';
          Client._instance.SessionID = 0;
          Client._instance.SessionIDHexa8 = "";
          Client._instance.SessionPrivateKey = 0;
          Client._instance.LoginCallback = null;
          Client._instance.LogoutCallback = null;
        }
      }
    }

    private onRetrieveRecordCallback = function (ev: Event) {
      if (this.readyState == 4) {
        //var success = (this.status >= 200 && this.status < 300);
        var obj = JSON.parse(this.response) || {}; //JSON.parse(this.responseText || {});
        if (Client._instance.onRetrieveRecord instanceof Function){//onRetrieveRecord
          Client._instance.onRetrieveRecord(this.status, obj);
        }
      }
    }

    private onAddRecordCallback = function (ev: Event) {
      if (this.readyState == 4) {
        if (Client._instance.onAddRecord instanceof Function) {
          Client._instance.onAddRecord(this.status, this.getResponseHeader('Location'));
        }
      }
    }

    private onUnlockRecordCallback = function (ev: Event) {
      if (this.readyState == 4) {
        var success = (this.status >= 200 && this.status < 300);
        if(Client._instance.onUnlockRecord instanceof Function){
          Client._instance.onUnlockRecord(success);
        }
      }
    }

    //public events
    public onRetrieveRecord: (HTTPstatus: number, data:{}) => void;
    public onAddRecord: (HTTPstatus: number, recordLocation: string) => void;
    public onUnlockRecord: (success: boolean) => void;
  }
}

mORMotClient.js

var mORMot;
(function (mORMot) {
    function getXhr() {
        for (var i = 0; i < 4; i++) {
            try  {
                return i ? new ActiveXObject([, "Msxml2", "Msxml3", "Microsoft"][i] + ".XMLHTTP") : new XMLHttpRequest;
            } catch (e) {
                // ignore when it fails.
            }
        }
    }

    var Client = (function () {
        function Client() {
            this.User = "";
            this.Root = "";
            this.ServerURL = "";
            this.loggedIn = false;
            this.SessionID = 0;
            this.SessionIDHexa8 = "";
            this.SessionPrivateKey = 0;
            this.SessionTickCountOffset = 0;
            this.PasswordHashHexa = "";
            this.ServerTimeStampOffset = 0;
            /*
            CRC-32 (as it is in ZMODEM) in table form
            
            Copyright (C) 1986 Gary S. Brown. You may use this program, or
            code or tables extracted from it, as desired without restriction.
            
            Modified by Anders Danielsson, February 5, 1989 and March 10, 2006.
            
            This is also known as FCS-32 (as it is in PPP), described in
            RFC-1662 by William Allen Simpson, see RFC-1662 for references.
            */
            this.Crc32Tab = [
                0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
                0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
                0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
                0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
                0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
                0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
                0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
                0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
                0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
                0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
                0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
                0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
                0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
                0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
                0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
                0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
                0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
                0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
                0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
                0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
                0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
                0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
                0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
                0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
                0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
                0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
                0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
                0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
                0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
                0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
                0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
                0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D];
            //Login callbacks
            this.onGotTimestamp = function (ev) {
                if (this.readyState == 4) {
                    if (this.status !== 200) {
                        if (Client._instance.LoginCallback instanceof Function) {
                            Client._instance.LoginCallback(false, this.status + " " + this.statusText);
                        }
                    } else {
                        var s = '', d = new Date(), clientTime = '';
                        var timestamp = parseInt(this.responseText, 10);
                        s = d.getFullYear().toString(2);
                        while (s.length < 13) {
                            s = '0' + s;
                        }
                        clientTime = s;
                        s = d.getMonth().toString(2);
                        while (s.length < 4) {
                            s = '0' + s;
                        }
                        clientTime = clientTime + s;
                        s = (d.getDate() - 1).toString(2);
                        while (s.length < 5) {
                            s = '0' + s;
                        }
                        clientTime = clientTime + s;
                        s = d.getHours().toString(2);
                        while (s.length < 5) {
                            s = '0' + s;
                        }
                        clientTime = clientTime + s;
                        s = d.getMinutes().toString(2);
                        while (s.length < 6) {
                            s = '0' + s;
                        }
                        clientTime = clientTime + s;
                        s = d.getSeconds().toString(2);
                        while (s.length < 6) {
                            s = '0' + s;
                        }
                        clientTime = clientTime + s;
                        Client._instance.ServerTimeStampOffset = (timestamp - parseInt(clientTime, 2));
                        var XHR = getXhr();
                        XHR.open("GET", Client._instance.ServerURL + "/" + Client._instance.Root + "/Auth?UserName=" + Client._instance.User, true);
                        XHR.onreadystatechange = Client._instance.onGotNonce;
                        XHR.send(null);
                        XHR.ontimeout = function () {
                            alert("timeout!");
                        };
                    }
                }
            };
            this.onGotNonce = function (ev) {
                if (this.readyState == 4) {
                    if (this.status !== 200) {
                        if (Client._instance.LoginCallback instanceof Function) {
                            Client._instance.LoginCallback(false, this.status + " " + this.statusText);
                        }
                    } else {
                        //create client nonce
                        var aClientNonce = "", s = "", d = new Date();
                        aClientNonce = d.getFullYear().toString();
                        s = d.getMonth().toString();
                        if (s.length === 1) {
                            s = '0' + s;
                        }
                        aClientNonce = aClientNonce + '-' + s;
                        s = d.getDate().toString();
                        if (s.length === 1) {
                            s = '0' + s;
                        }
                        aClientNonce = aClientNonce + '-' + s + ' ';
                        s = d.getHours().toString();
                        if (s.length === 1) {
                            s = '0' + s;
                        }
                        aClientNonce = aClientNonce + s;
                        s = d.getMinutes().toString();
                        if (s.length === 1) {
                            s = '0' + s;
                        }
                        aClientNonce = aClientNonce + ':' + s;
                        s = d.getSeconds().toString();
                        if (s.length === 1) {
                            s = '0' + s;
                        }
                        aClientNonce = aClientNonce + ':' + s;
                        aClientNonce = Client._instance.Sha256hash(aClientNonce);
                        var data = JSON.parse(this.responseText);
                        s = Client._instance.ServerURL + "/" + Client._instance.Root + "/Auth?UserName=" + Client._instance.User + "&Password=" + 

Client._instance.Sha256hash(Client._instance.Root + data.result + aClientNonce + Client._instance.User + Client._instance.PasswordHashHexa) + 

"&ClientNonce=" + aClientNonce;
                        var XHR = getXhr();
                        XHR.open("GET", s, true);
                        XHR.onreadystatechange = Client._instance.onGotSession;
                        XHR.send(null);
                    }
                }
            };
            this.onGotSession = function (ev) {
                if (this.readyState == 4) {
                    if (this.status !== 200) {
                        if (Client._instance.LoginCallback instanceof Function) {
                            Client._instance.LoginCallback(false, this.status + " " + this.statusText);
                        }
                    } else {
                        var data = JSON.parse(this.responseText);
                        var i = data.result.indexOf("+");
                        Client._instance.SessionID = parseInt(data.result.slice(0, i), 10);
                        Client._instance.SessionIDHexa8 = Client._instance.SessionID.toString(16);
                        while (Client._instance.SessionIDHexa8.length < 8) {
                            Client._instance.SessionIDHexa8 = '0' + Client._instance.SessionIDHexa8;
                        }
                        Client._instance.loggedIn = true;
                        Client._instance.SessionPrivateKey = Client._instance.crc32(Client._instance.PasswordHashHexa, Client._instance.crc32

(data.result, 0));
                        if (Client._instance.LoginCallback instanceof Function) {
                            Client._instance.LoginCallback(true, Client._instance.User);
                        }
                    }
                }
            };
            this.onLogout = function (ev) {
                if (this.readyState == 4) {
                    var success = (this.status >= 200 && this.status < 300);
                    if (Client._instance.LogoutCallback instanceof Function) {
                        Client._instance.LogoutCallback(success, "");
                    }
                    if (success) {
                        Client._instance.ServerURL = '';
                        Client._instance.Root = '';
                        Client._instance.User = '';
                        Client._instance.SessionID = 0;
                        Client._instance.SessionIDHexa8 = "";
                        Client._instance.SessionPrivateKey = 0;
                        Client._instance.LoginCallback = null;
                        Client._instance.LogoutCallback = null;
                    }
                }
            };
            this.onRetrieveRecordCallback = function (ev) {
                if (this.readyState == 4) {
                    //var success = (this.status >= 200 && this.status < 300);
                    var obj = JSON.parse(this.response) || {};
                    if (Client._instance.onRetrieveRecord instanceof Function) {
                        Client._instance.onRetrieveRecord(this.status, obj);
                    }
                }
            };
            this.onAddRecordCallback = function (ev) {
                if (this.readyState == 4) {
                    if (Client._instance.onAddRecord instanceof Function) {
                        Client._instance.onAddRecord(this.status, this.getResponseHeader('Location'));
                    }
                }
            };
            this.onUnlockRecordCallback = function (ev) {
                if (this.readyState == 4) {
                    var success = (this.status >= 200 && this.status < 300);
                    if (Client._instance.onUnlockRecord instanceof Function) {
                        Client._instance.onUnlockRecord(success);
                    }
                }
            };
            if (!Client.allowInstantiation) {
                throw new Error("Error: Instantiation failed: Use mORMot.Client.getInstance() instead of new.");
            }
        }
        Client.getInstance = function () {
            if (Client._instance == null) {
                Client.allowInstantiation = true;
                Client._instance = new Client();
                Client.allowInstantiation = false;
            }
            return Client._instance;
        };

        //
        //   hexadecimal representation of a number
        //   (note toString(16) is implementation-dependant, and
        //   in IE returns signed numbers when used on full words)
        //
        Client.prototype.Sha256toHexStr = function (n) {
            var s = "", v, i;
            for (i = 7; i >= 0; i = i - 1) {
                v = (n >>> (i * 4)) & 0xf;
                s += v.toString(16);
            }
            return s;
        };

        /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
        /*  Utf8 class: encode / decode between multi-byte Unicode characters and UTF-8 multiple          */
        /*              single-byte character encoding (c) Chris Veness 2002-2010                         */
        /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
        //var Utf8 = {};  // Utf8 namespace
        /**
        * Encode multi-byte Unicode string into utf-8 multiple single-byte characters
        * (BMP / basic multilingual plane only)
        *
        * Chars in range U+0080 - U+07FF are encoded in 2 chars, U+0800 - U+FFFF in 3 chars
        *
        * @param {String} strUni Unicode string to be encoded as UTF-8
        * @returns {String} encoded string
        */
        Client.prototype.Utf8encode = function (strUni) {
            // use regular expressions & String.replace callback function for better efficiency
            // than procedural approaches
            var strUtf = strUni.replace(/[\u0080-\u07ff]/g, function (c) {
                var cc = c.charCodeAt(0);
                return String.fromCharCode(0xc0 | cc >> 6, 0x80 | cc & 0x3f);
            });
            strUtf = strUtf.replace(/[\u0800-\uffff]/g, function (c) {
                var cc = c.charCodeAt(0);
                return String.fromCharCode(0xe0 | cc >> 12, 0x80 | cc >> 6 & 0x3F, 0x80 | cc & 0x3f);
            });
            return strUtf;
        };

        /**
        * Decode utf-8 encoded string back into multi-byte Unicode characters
        *
        * @param {String} strUtf UTF-8 string to be decoded back to Unicode
        * @returns {String} decoded string
        */
        Client.prototype.Utf8decode = function (strUtf) {
            // note: decode 3-byte chars first as decoded 2-byte strings could appear to be 3-byte char!
            var strUni = strUtf.replace(/[\u00e0-\u00ef][\u0080-\u00bf][\u0080-\u00bf]/g, function (c) {
                var cc = ((c.charCodeAt(0) & 0x0f) << 12) | ((c.charCodeAt(1) & 0x3f) << 6) | (c.charCodeAt(2) & 0x3f);
                return String.fromCharCode(cc);
            });
            strUni = strUni.replace(/[\u00c0-\u00df][\u0080-\u00bf]/g, function (c) {
                var cc = (c.charCodeAt(0) & 0x1f) << 6 | c.charCodeAt(1) & 0x3f;
                return String.fromCharCode(cc);
            });
            return strUni;
        };

        Client.prototype.Sha256ROTR = function (n, x) {
            return (x >>> n) | (x << (32 - n));
        };
        Client.prototype.Sha256Sigma0 = function (x) {
            return this.Sha256ROTR(2, x) ^ this.Sha256ROTR(13, x) ^ this.Sha256ROTR(22, x);
        };
        Client.prototype.Sha256Sigma1 = function (x) {
            return this.Sha256ROTR(6, x) ^ this.Sha256ROTR(11, x) ^ this.Sha256ROTR(25, x);
        };
        Client.prototype.Sha256sigma0 = function (x) {
            return this.Sha256ROTR(7, x) ^ this.Sha256ROTR(18, x) ^ (x >>> 3);
        };
        Client.prototype.Sha256sigma1 = function (x) {
            return this.Sha256ROTR(17, x) ^ this.Sha256ROTR(19, x) ^ (x >>> 10);
        };
        Client.prototype.Sha256Ch = function (x, y, z) {
            return (x & y) ^ (~x & z);
        };
        Client.prototype.Sha256Maj = function (x, y, z) {
            return (x & y) ^ (x & z) ^ (y & z);
        };

        Client.prototype.Sha256hash = function (msg, utf8encode) {
            var K, H, l, N, M, i, j, W, a, b, c, d, e, f, g, h, t, T1, T2;
            utf8encode = (typeof utf8encode == 'undefined') ? true : utf8encode;

            // convert string to UTF-8, as SHA only deals with byte-streams
            if (utf8encode) {
                msg = this.Utf8encode(msg);
            }

            // constants [§4.2.2]
            K = [
                0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
                0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
                0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
                0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
                0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
                0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
                0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
                0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2];

            // initial hash value [§5.3.1]
            H = [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];

            // PREPROCESSING
            msg += String.fromCharCode(0x80); // add trailing '1' bit (+ 0's padding) to string [§5.1.1]

            // convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
            l = msg.length / 4 + 2; // length (in 32-bit integers) of msg + ‘1’ + appended length
            N = Math.ceil(l / 16); // number of 16-integer-blocks required to hold 'l' ints
            M = [N]; //new Array(N);

            for (i = 0; i < N; i = i + 1) {
                M[i] = new Array(16);
                for (j = 0; j < 16; j = j + 1) {
                    M[i][j] = (msg.charCodeAt(i * 64 + j * 4) << 24) | (msg.charCodeAt(i * 64 + j * 4 + 1) << 16) | (msg.charCodeAt(i * 64 + j * 4 + 2) 

<< 8) | (msg.charCodeAt(i * 64 + j * 4 + 3));
                }
            }

            // add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
            // note: most significant word would be (len-1)*8 >>> 32, but since JS converts
            // bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
            M[N - 1][14] = ((msg.length - 1) * 8) / Math.pow(2, 32);
            M[N - 1][14] = Math.floor(M[N - 1][14]);
            M[N - 1][15] = (((msg.length - 1) * 8) & 0xffffffff);

            // HASH COMPUTATION [§6.1.2]
            W = new Array(64);
            for (i = 0; i < N; i = i + 1) {
                for (t = 0; t < 16; t = t + 1) {
                    W[t] = M[i][t];
                }
                for (t = 16; t < 64; t = t + 1) {
                    W[t] = (this.Sha256sigma1(W[t - 2]) + W[t - 7] + this.Sha256sigma0(W[t - 15]) + W[t - 16]) & 0xffffffff;
                }

                // 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
                a = H[0];
                b = H[1];
                c = H[2];
                d = H[3];
                e = H[4];
                f = H[5];
                g = H[6];
                h = H[7];

                for (t = 0; t < 64; t = t + 1) {
                    T1 = h + this.Sha256Sigma1(e) + this.Sha256Ch(e, f, g) + K[t] + W[t];
                    T2 = this.Sha256Sigma0(a) + this.Sha256Maj(a, b, c);
                    h = g;
                    g = f;
                    f = e;
                    e = (d + T1) & 0xffffffff;
                    d = c;
                    c = b;
                    b = a;
                    a = (T1 + T2) & 0xffffffff;
                }

                // 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
                H[0] = (H[0] + a) & 0xffffffff;
                H[1] = (H[1] + b) & 0xffffffff;
                H[2] = (H[2] + c) & 0xffffffff;
                H[3] = (H[3] + d) & 0xffffffff;
                H[4] = (H[4] + e) & 0xffffffff;
                H[5] = (H[5] + f) & 0xffffffff;
                H[6] = (H[6] + g) & 0xffffffff;
                H[7] = (H[7] + h) & 0xffffffff;
            }

            return this.Sha256toHexStr(H[0]) + this.Sha256toHexStr(H[1]) + this.Sha256toHexStr(H[2]) + this.Sha256toHexStr(H[3]) + this.Sha256toHexStr(H

[4]) + this.Sha256toHexStr(H[5]) + this.Sha256toHexStr(H[6]) + this.Sha256toHexStr(H[7]);
        };

        Client.prototype.Crc32Add = function (crc, c) {
            return Client._instance.Crc32Tab[(crc ^ c) & 0xFF] ^ ((crc >> 8) & 0xFFFFFF);
        };

        Client.prototype.crc32 = function (str, crc) {
            var n, len;
            len = str.length;

            //var crc;
            if (typeof (crc) == "undefined") {
                crc = 0xFFFFFFFF;
            } else {
                crc = crc ^ 0xFFFFFFFF; //crc = ~crc;
                if (crc < 0) {
                    crc = 4294967296 + crc;
                }
            }

            for (n = 0; n < len; n = n + 1) {
                crc = Client._instance.Crc32Add(crc, str.charCodeAt(n));
            }
            crc = crc ^ 0xFFFFFFFF; //crc = ~crc;
            if (crc < 0) {
                crc = 4294967296 + crc;
            }
            return crc;
        };

        Client.prototype.logIn = function (url, root, username, password, callbackFunc) {
            var SynAuth = this, d = new Date();
            SynAuth.ServerURL = url;
            SynAuth.Root = root;
            SynAuth.User = username;
            SynAuth.PasswordHashHexa = SynAuth.Sha256hash("salt" + password);
            SynAuth.SessionTickCountOffset = d.getTime();
            if (callbackFunc) {
                SynAuth.LoginCallback = callbackFunc;
            }
            var XHR = getXhr();
            XHR.open("GET", SynAuth.ServerURL + "/" + SynAuth.Root + "/TimeStamp");
            XHR.onreadystatechange = SynAuth.onGotTimestamp;
            XHR.send(null);
        };

        Client.prototype.logout = function (callbackFunc) {
            if (callbackFunc) {
                Client._instance.LogoutCallback = callbackFunc;
            }
            var XHR = getXhr();
            XHR.open("GET", Client._instance.ServerURL + "/" + Client._instance.signUrl(Client._instance.Root + "/Auth?UserName=" + Client._instance.User 

+ "&Session=" + Client._instance.SessionID));

            //XHR.onreadystatechange = Client._instance.onLogout;
            XHR.send(null);
        };

        Client.prototype.logoutSync = function () {
            var XHR = getXhr();
            XHR.open("GET", Client._instance.ServerURL + "/" + Client._instance.signUrl(Client._instance.Root + "/Auth?UserName=" + Client._instance.User 

+ "&Session=" + Client._instance.SessionID), false);
            XHR.send(null);
            var success = (XHR.status >= 200 && XHR.status < 300);
            if (success) {
                Client._instance.ServerURL = '';
                Client._instance.Root = '';
                Client._instance.User = '';
                Client._instance.SessionID = 0;
                Client._instance.SessionIDHexa8 = '';
                Client._instance.SessionPrivateKey = 0;
                Client._instance.LoginCallback = null;
                Client._instance.LogoutCallback = null;
            }
            return success;
        };

        Client.prototype.signUrl = function (url) {
            if (Client._instance.loggedIn === true) {
                var Tix, Nonce, s, ss, d = new Date();
                Tix = d.getTime() - Client._instance.SessionTickCountOffset;
                Nonce = Tix.toString(16);
                while (Nonce.length < 8) {
                    Nonce = '0' + Nonce;
                }
                if (Nonce.length > 8) {
                    Nonce = Nonce.slice(Nonce.length - 8);
                }
                ss = Client._instance.crc32(url, Client._instance.crc32(Nonce, Client._instance.SessionPrivateKey)).toString(16);
                while (ss.length < 8) {
                    ss = '0' + ss;
                }
                s = url.indexOf("?") === -1 ? url + '?session_signature=' : url + '&session_signature=';
                return s + Client._instance.SessionIDHexa8 + Nonce + ss;
            } else {
                return url;
            }
        };

        Client.prototype.retrieveRecordWhere = function (table, select, where, callback) {
            var XHR = getXhr(), s = Client._instance.ServerURL + '/' + Client._instance.signUrl(Client._instance.Root + '/' + table + '?select=' + select 

+ '&where=' + where + '&limit=1');
            XHR.onreadystatechange = Client._instance.onRetrieveRecordCallback;
            XHR.open("GET", s);
            XHR.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
            XHR.send(null);
        };

        Client.prototype.retrieveRecord = function (table, id, forUpdate) {
            var XHR = getXhr();
            XHR.onreadystatechange = Client._instance.onRetrieveRecordCallback;
            var s = Client._instance.ServerURL + "/" + Client._instance.signUrl(Client._instance.Root + "/" + table + "/" + id);
            if (!forUpdate) {
                XHR.open("GET", s);
            } else {
                XHR.open("LOCK", s);
            }
            XHR.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
            XHR.send(null);
        };

        Client.prototype.addRecord = function (table, record) {
            var XHR = getXhr();
            var s = Client._instance.ServerURL + "/" + Client._instance.signUrl(Client._instance.Root + "/" + table);
            XHR.onreadystatechange = Client._instance.onAddRecordCallback;
            XHR.open("POST", s);
            XHR.send(JSON.stringify(record || {}));
        };

        Client.prototype.unlockRecord = function (table, id) {
            //UNLOCK
            var s = Client._instance.ServerURL + "/" + Client._instance.signUrl(Client._instance.Root + "/" + table + "/" + id);
            var XHR = getXhr();
            XHR.open("UNLOCK", "/" + s);
            XHR.onreadystatechange = Client._instance.onUnlockRecordCallback;
            XHR.send(null);
        };
        return Client;
    })();
    mORMot.Client = Client;
})(mORMot || (mORMot = {}));

sample4client.html

<!DOCTYPE html>

<html>
<head>
  <title>mORMot sample 4 client web app</title>
</head>
<body>
  <h2>mORMot sample 4 client web app</h2>
  <div id="content"></div>
  <br>

  <form>
    <button type="button" id="login">
      log in
    </button>
    <button type="button" id="logout" >
      log out
    </button>
    <br><br>
    Your name: <input type="text" id="name">
    <button type="button" id="retrieveRecord" >
      Find a previous message
    </button><br>
    Your message:<br>
    <textarea style="width:400px" rows="5" id="message"></textarea><br>
    <button type="button" id="addRecord" >
      Add the message
    </button>
  </form>

  <script src="mORMotClient.js"></script>
  <script src="sample4.js"></script>
</body>
</html>

sample4.js

var mORMotClient = mORMot.Client.getInstance();

mORMotClient.onRetrieveRecord = onGetRecord;
mORMotClient.onAddRecord = onAddRec;

function onlogin(success, data) {
    document.getElementById("content").innerHTML = "login status: " + success + ' ' + data;
}

function onAddRec(httpStatus, location) {
  document.getElementById("content").innerHTML = "http status: " + httpStatus + ' Location:' + location;
}

function loginClickHandler(ev) {
    mORMotClient.logIn("http://localhost:8080", "root", "User", "synopse", onlogin);
}

function addRecClickHandler(ev) {
    var rec = { Time: 0,
                Name: document.getElementById("name").value,
                Question: document.getElementById("message").value
              };
    mORMotClient.addRecord("SampleRecord", rec);
}

function onGetRecord(HTTPValue, rec) {
  try {
    document.getElementById("message").value = rec[0].Question;
  } catch(e) {
    document.getElementById("message").value = "";
  }
}

function retrieveRecClickHandler(ev) {
    mORMotClient.retrieveRecordWhere("SampleRecord","ID,Time,Name,Question","Name=:(%27"+encodeURIComponent(document.getElementById

("name").value)+"%27):");
}

function logoutClickHandler(ev) {
    mORMotClient.logout();
}

document.getElementById("login").onclick = loginClickHandler;
document.getElementById("addRecord").onclick = addRecClickHandler;
document.getElementById("retrieveRecord").onclick = retrieveRecClickHandler;
document.getElementById("logout").onclick = logoutClickHandler;

Offline

#33 2014-09-15 07:03:32

DigDiver
Member
Registered: 2013-04-29
Posts: 137

Re: Javascript authentication

This code is used in the real application. see (http://synopse.info/forum/viewtopic.php?id=1954)

syn-auth.js

angular.module('syn-auth', ['em-utils'], function($provide) {

	// the number of login retries on 403 before logout
	var MAX_RECONNECT_COUNT = 5;

	$provide.factory('SynAuth', function(crc32, sha256) {

		function SynAuth(host, port) {

			var defaults = {
				host: '',
				defaultPort: '888',

				User : "",
				fRoot : "",
				fSessionID : 0,
				fSessionIDHexa8 : "",
				fSessionPrivateKey : 0,
				fSessionTickCountOffset : 0,
				fLastSessionTickCount : 0,

				PasswordHashHexa : "",
				fServerTimeStampOffset : 0,
				fcallBack : null,
				ffailCallBack : null
			};  // SynAuth namespace

			this.connectionReady = false;
			this.readyCallbacks = [];

			for ( var p in defaults ) {
				this[p] = defaults[p];
			}

			if ( host ) {
				this.setHost(host, port);	
			}
		}

		var sp = SynAuth.prototype;

		sp.ready = function(cb) {
			if ( this.connectionReady ) {
				cb(this);
			} else {
				this.readyCallbacks.push(cb);
			}
		};

		sp.fireReadyCbs = function() {
			var _this = this;
			angular.forEach(this.readyCallbacks, function(cb){
				cb(_this);
			});
		};

		sp.wrap = function(method){
			var that = this;
			return function(){
				method.apply(that, arguments);
			};
		};

		sp.setHost = function(host, port) {
			if ( !host.match(/\:\d+$/) ) {
				host += ':'+(port || this.defaultPort);
			}
			this.host = host;
		};
				
		sp.LogIn = function (root, username, password, callback, failCallback){
			this.fRoot = root;
			this.User = username;
			this.PasswordHashHexa = sha256.hash("salt"+password);
			if (callback) {this.fcallBack = callback;}
			if (failCallback) {this.ffailCallback = failCallback;}
			$.get(this.host+"/"+root+"/TimeStamp", this.wrap(this.gotTimeStamp));
		}

		sp.LogInAgain = function(callback){ //after timeout error for silent re-login
			this.fSessionID = 0;
			this.fSessionIDHexa8 = "";
			this.fSessionPrivateKey = 0;
			if (callback) {this.fcallBack = callback;} else {this.fcallBack = null;}
			$.get(this.host+"/"+this.fRoot+"/TimeStamp", this.wrap(this.gotTimeStamp));
		}

		sp.gotTimeStamp = function (timestamp) {
			var s = '', d = new Date(), clientTime = '';
			timestamp = parseInt(timestamp, 10);
			s = d.getFullYear().toString(2);
			while(s.length < 13) { s = '0'+s;}
			clientTime = s;
			s = d.getMonth().toString(2);
			while(s.length < 4) { s = '0'+s;}
			clientTime = clientTime +s;
			s = (d.getDate()-1).toString(2);
			while(s.length < 5) { s = '0'+s;}
			clientTime = clientTime +s;
			s = d.getHours().toString(2);
			while(s.length < 5) { s = '0'+s;}
			clientTime = clientTime +s;
			s = d.getMinutes().toString(2);
			while(s.length < 6) { s = '0'+s;}
			clientTime = clientTime +s;
			s = d.getSeconds().toString(2);
			while(s.length < 6) { s = '0'+s;}
			clientTime = clientTime +s;

			this.fServerTimeStampOffset = (timestamp - Math.floor(d.getTime()/10));
			$.get(this.host+"/"+this.fRoot+"/auth?UserName="+this.User, this.wrap(this.gotNonce));
		}

		sp.gotNonce = function (aNonce){
			var that = this;
			//create client nonce
			var aClientNonce = "", s = "", d = new Date();
			aClientNonce = d.getFullYear().toString();
			s = d.getMonth().toString();
			if (s.length === 1) { s = '0'+s;}
			aClientNonce = aClientNonce + '-' + s;
			s = d.getDate().toString();
			if (s.length === 1) { s = '0'+s;}
			aClientNonce = aClientNonce + '-' + s + ' ';
			s = d.getHours().toString();
			if (s.length === 1) { s = '0'+s;}
			aClientNonce = aClientNonce + s;
			s = d.getMinutes().toString();
			if (s.length === 1) { s = '0'+s;}
			aClientNonce = aClientNonce + ':' + s;
			s = d.getSeconds().toString();
			if (s.length === 1) { s = '0'+s;}
			aClientNonce = aClientNonce + ':' + s;			
			aClientNonce = sha256.hash(aClientNonce);
			s = this.host+"/"+ this.fRoot+"/auth?UserName="+this.User+"&Password=" + 
			 sha256.hash(this.fRoot+aNonce.result+aClientNonce+this.User+this.PasswordHashHexa )+
			 "&ClientNonce="+aClientNonce;
			$.ajax({
				type: "GET",
				dataType: "json",
				url: s,
				success: function(){ that.gotSession.apply(that, arguments); },
				error: function(){ that.ffailCallback.apply(that, arguments); }
			});                   
		};

		sp.gotSession = function (aSessionKey){
			var sessArr = aSessionKey.result.split('+');

			this.fSessionID = parseInt(sessArr[0], 10);
			this.fSessionIDHexa8 = this.fSessionID.toString(16);

			while ( this.fSessionIDHexa8.length < 8 ) { this.fSessionIDHexa8 = '0'+this.fSessionIDHexa8; }

			this.fSessionPrivateKey = crc32(this.PasswordHashHexa, crc32(aSessionKey.result, 0));

			if (this.fcallBack != null) {
				this.connectionReady = true;
				this.fireReadyCbs();
				this.fcallBack();
			}
		}

		sp.SessionSign = function (url) {
			var Tix, Nonce, s, ss; 
			Tix = Date.now(); // # of ms since Epoch

			if ( Tix <= this.fLastSessionTickCount ) {
				this.fLastSessionTickCount += 1;
			} else {
				this.fLastSessionTickCount = Tix;	
			}			
			Nonce = Tix.toString(16);

			while ( Nonce.length < 8 ) { Nonce = '0'+Nonce; }
			if ( Nonce.length > 8 ) { Nonce = Nonce.slice(Nonce.length-8) }

			ss = crc32(url, crc32(Nonce, this.fSessionPrivateKey)).toString(16);

			while ( ss.length < 8 ) { ss = '0'+ss; }

			s = url.indexOf("?") == -1 ? url+'?session_signature=' : url+'&session_signature=';

			return s + this.fSessionIDHexa8 + Nonce + ss;  
		}

		sp.getURL = function(uri) {
			return this.host+'/'+this.SessionSign(uri);
		}

		sp.Logout = function (callback) {
			if (this.fSessionID == 0) {if (callback){callback();}} else {
				$.get(this.host+"/"+this.fRoot+"/auth?UserName="+this.User+"&Session="+this.fSessionID, callback);
				this.fRoot = '';
				this.User = '';
				this.fSessionID = 0;
				this.fSessionIDHexa8 = "";
				this.fSessionPrivateKey = 0;
			}
		}

		return SynAuth;
	});

	
	// wps
	// wp/%/settings
	// wp/%/group
	// wp/%/bounce

	// infinitypropertycomau

	// garethinfinitypropertycomau

	// bernieinfinitypropertycomau

	var forEach = angular.forEach;

	function isArray(value) {
	  return Object.prototype.toString.apply(value) == '[object Array]';
	}

	function isObject(value){return value != null && typeof value == 'object';}

	function sortedKeys(obj) {
	  var keys = [];
	  for (var key in obj) {
	    if (obj.hasOwnProperty(key)) {
	      keys.push(key);
	    }
	  }
	  return keys.sort();
	}

	function forEachSorted(obj, iterator, context) {
	  var keys = sortedKeys(obj);
	  for ( var i = 0; i < keys.length; i++) {
	    iterator.call(context, obj[keys[i]], keys[i]);
	  }
	  return keys;
	}

	function encodeUriQuery(val, pctEncodeSpaces) {
	  return encodeURIComponent(val).
	             replace(/%40/gi, '@').
	             replace(/%3A/gi, ':').
	             replace(/%24/g, '$').
	             replace(/%2C/gi, ',').
	             replace(/%20/g, (pctEncodeSpaces ? '%20' : '+'));
	}	

	function buildQueryString(params) {
		var parts = [];
		forEachSorted(params, function(value, key) {
			if (value == null || value == undefined) return;
			if (!isArray(value)) value = [value];

			forEach(value, function(v) {
				if (isObject(v)) {
					v = toJson(v);
				}
				parts.push(encodeUriQuery(key) + '=' +
				         encodeUriQuery(v));
			});
		});
		return parts.join('&');
	}

    function buildUrl(url, params) {
      if (!params) return url;
      var qs = buildQueryString(params);

      return url + ((url.indexOf('?') == -1) ? '?' : '&') + qs;
    }

	$provide.factory('synConn', function(SynAuth, emAuth, $http, $q, emsLoadingBar) {
		var synConn = {
			opts: {
				host: emAuth.get('host'),
				port: emAuth.get('port'),
				email: emAuth.get('email'),
				password: emAuth.get('password'),
				secure: emAuth.get('secure')
			}
		};

		var roots = [
			'wps',
			'wp/\\d+/settings',
			'wp/\\d+/group',
			'wp/\\d+/bounce'
		];

		var connCache = {};	

		function setOpts(o) {
			synConn.opts = o;
			if ( !o.host ) { throw new Exception('[SynConn] setOpts. "host" option is not defined.'); }
			if ( !o.email ) { throw new Exception('[SynConn] setOpts. "email" option is not defined.'); }
			if ( !o.password ) { throw new Exception('[SynConn] setOpts. "password" option is not defined.'); }
			o.port = o.port || '888';
		}

		 function supplant (str, o) {
		    return str.replace(
		        /\{([^{}]*)\}/g,
		        function (a, b) {
		            var r = o[b];
		            return typeof r === 'string' || typeof r === 'number' ? r : a;
		        }
		    );
		}

		function getBaseURL() {
			var pr = synConn.opts.secure ? 'https' : 'http';
			return pr+'://'+synConn.opts.host+':'+synConn.opts.port+'/';
		}

		function createNewSynAuth(root, done) {
			var pr = synConn.opts.secure ? 'https' : 'http';
			//return { SynAuth: 'dummy'+(new Date()).getTime() };

			var sa = new SynAuth(pr+'://'+synConn.opts.host, synConn.opts.port);

			sa.LogIn(root, synConn.opts.email, synConn.opts.password, function(){
				done(null, sa);
			}, function(xhr, status, msg){
				// failback
				var err = new Error(msg);
				err.status = xhr.status;
				done(err);
			});			

			return sa;
		}

		function getConnectionFromURi(uri, done) {
			var found = false;
			// looking for cached connection
			for ( var root in connCache ) {
				if ( uri.indexOf(root) === 0 ) {
					return connCache[root].ready(function(conn){
						done(null, conn);	
					});					
				}
			}

			// creating new connection
			for (var r, res, i = 0; i < roots.length; i++) {
				if ( res = (new RegExp(roots[i],'i')).exec(uri) ) {
					r = res[0]; // matched root uri, like wp/1/settings
					found = true;
					connCache[r] = createNewSynAuth(r, function(err, sa){
						if ( err ) {
							delete connCache[r];
							return done(err);
						}
						return done(null, sa);
					});
				}
			}
			if ( !found ) {
				done(new Error('getConnectionFromURi: Cannot get rootURi for '+uri));
			}
		}

		function removeCachedConnection(sa) {
			var found = false;
			// looking for cached connection
			for ( var root in connCache ) {
				if ( connCache[root] === sa) {
					delete connCache[root];
					break;
				}
			}
		}		

		function http(o) {
			var that = {
				sa: null,
				err: null,
				errorCb: null,
				successCb: null
			};

			if ( !o.headers ) {
				o.headers = {};
			}

			var reconnect = 0;

			var wp = emAuth.get('workplace');

			if ( wp ) {
				synConn.opts.wpId = emAuth.get('workplace').ID;	
			}		

			o.uri = supplant(o.uri, synConn.opts);

			function connect() {
				getConnectionFromURi(o.uri, function(err, sa){
					if ( err ) { that.err = err;  }
					that.sa = sa;

					setTimeout(function() {
						if ( err ) { return that.errorCb(err); }
						runRequest();
					}, 1);
				});				
			}

			connect();

			function runRequest() {

				var url;

				if ( o.params ) {
					url = that.sa.getURL( buildUrl(o.uri, o.params) );
					delete o.params;
				} else {
					url = that.sa.getURL(o.uri);
				}

				if ( o.data ) {
					if ( o.headers['Content-Type'] === 'application/x-www-form-urlencoded' ) {
						o.data = buildQueryString(o.data);
					}
				}

				var opts = angular.extend({ url : url }, o);
				delete opts.uri;
				opts.method = opts.method || 'GET';

				$http(opts).success(function(){					
					that.successCb.apply(this, arguments);
					emsLoadingBar.stop();
					reconnect = 0;
				}).error(function(data){
					var err = new Error(data.ErrorText);
						err.ErrorCode = data.ErrorCode;

					if ( err && err.ErrorCode == 403 ) {
						if ( reconnect == MAX_RECONNECT_COUNT ) {
							alert('Authentication failure. You will be logged out now. Shall this error repeat, contact your server administrator.');						
							window.location.hash = '#/logout';
							return;
						}
						removeCachedConnection(that.sa);
						reconnect += 1;
						connect();
					} else {
						var args = Array.prototype.slice.call(arguments);
						args.unshift(err);
						that.errorCb.apply(this, args);
						emsLoadingBar.stop();
					}					
				});
				emsLoadingBar.start();
			}

			return {
				success: function(cb){
					that.successCb = cb;
					return this;
				},
				error: function(cb){
					that.errorCb = cb;
					return this;
				}

			};
		}

		function touch(uri, done) {
			getConnectionFromURi(uri, done);
		}

		synConn.logout = function() {
			connCache = {};
		};

		//getConnectionFromURi('wp/1/settings/GetTemplateMessage?ID=');

		synConn.setOpts = setOpts;
		synConn.http = http;
		synConn.touch = touch;
		synConn.getBaseURL = getBaseURL;

		return synConn;
	});
});

Please pay attention to ROOT:

var roots = [
			'wps',
			'wp/\\d+/settings',
			'wp/\\d+/group',
			'wp/\\d+/bounce'
		];

em-utils.js

angular.module('em-utils', [], function($provide) {

    var makeCRCTable = function(){
        var c;
        var crcTable = [];
        for(var n =0; n < 256; n++){
            c = n;
            for(var k =0; k < 8; k++){
                c = ((c&1) ? (0xEDB88320 ^ (c >>> 1)) : (c >>> 1));
            }
            crcTable[n] = c;
        }
        return crcTable;
    }
    var crcTable = makeCRCTable();

    var crc32 = function(str, init) {
        var crc = (typeof init === 'undefined') ? 0 ^ (-1) : init^0xFFFFFFFF;
        //var crc = 0 ^ (-1);
    
        for (var i = 0; i < str.length; i++ ) {
            crc = (crc >>> 8) ^ crcTable[(crc ^ str.charCodeAt(i)) & 0xFF];
        }
    
        return (crc ^ (-1)) >>> 0;
    };

	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
	/*  SHA-256 implementation in JavaScript | (c) Chris Veness 2002-2010 | www.movable-type.co.uk    */
	/*   - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html                             */
	/*         http://csrc.nist.gov/groups/ST/toolkit/examples.html                                   */
	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

	var Sha256 = {};  // Sha256 namespace

	/**
	 * Generates SHA-256 hash of string
	 *
	 * @param {String} msg                String to be hashed
	 * @param {Boolean} [utf8encode=true] Encode msg as UTF-8 before generating hash
	 * @returns {String}                  Hash of msg as hex character string
	 */
	Sha256.hash = function(msg, utf8encode) {
			utf8encode =  (typeof utf8encode == 'undefined') ? true : utf8encode;
			
			// convert string to UTF-8, as SHA only deals with byte-streams
			if (utf8encode) msg = Utf8.encode(msg);
			
			// constants [§4.2.2]
			var K = [0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
							 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
							 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
							 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
							 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
							 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
							 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
							 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2];
			// initial hash value [§5.3.1]
			var H = [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];

			// PREPROCESSING 
	 
			msg += String.fromCharCode(0x80);  // add trailing '1' bit (+ 0's padding) to string [§5.1.1]

			// convert string msg into 512-bit/16-integer blocks arrays of ints [§5.2.1]
			var l = msg.length/4 + 2;  // length (in 32-bit integers) of msg + '1' + appended length
			var N = Math.ceil(l/16);   // number of 16-integer-blocks required to hold 'l' ints
			var M = new Array(N);

			for (var i=0; i<N; i++) {
					M[i] = new Array(16);
					for (var j=0; j<16; j++) {  // encode 4 chars per integer, big-endian encoding
							M[i][j] = (msg.charCodeAt(i*64+j*4)<<24) | (msg.charCodeAt(i*64+j*4+1)<<16) | 
												(msg.charCodeAt(i*64+j*4+2)<<8) | (msg.charCodeAt(i*64+j*4+3));
					} // note running off the end of msg is ok 'cos bitwise ops on NaN return 0
			}
			// add length (in bits) into final pair of 32-bit integers (big-endian) [§5.1.1]
			// note: most significant word would be (len-1)*8 >>> 32, but since JS converts
			// bitwise-op args to 32 bits, we need to simulate this by arithmetic operators
			M[N-1][14] = ((msg.length-1)*8) / Math.pow(2, 32); M[N-1][14] = Math.floor(M[N-1][14])
			M[N-1][15] = ((msg.length-1)*8) & 0xffffffff;


			// HASH COMPUTATION [§6.1.2]

			var W = new Array(64); var a, b, c, d, e, f, g, h;
			for (var i=0; i<N; i++) {

					// 1 - prepare message schedule 'W'
					for (var t=0;  t<16; t++) W[t] = M[i][t];
					for (var t=16; t<64; t++) W[t] = (Sha256.sigma1(W[t-2]) + W[t-7] + Sha256.sigma0(W[t-15]) + W[t-16]) & 0xffffffff;

					// 2 - initialise working variables a, b, c, d, e, f, g, h with previous hash value
					a = H[0]; b = H[1]; c = H[2]; d = H[3]; e = H[4]; f = H[5]; g = H[6]; h = H[7];

					// 3 - main loop (note 'addition modulo 2^32')
					for (var t=0; t<64; t++) {
							var T1 = h + Sha256.Sigma1(e) + Sha256.Ch(e, f, g) + K[t] + W[t];
							var T2 = Sha256.Sigma0(a) + Sha256.Maj(a, b, c);
							h = g;
							g = f;
							f = e;
							e = (d + T1) & 0xffffffff;
							d = c;
							c = b;
							b = a;
							a = (T1 + T2) & 0xffffffff;
					}
					 // 4 - compute the new intermediate hash value (note 'addition modulo 2^32')
					H[0] = (H[0]+a) & 0xffffffff;
					H[1] = (H[1]+b) & 0xffffffff; 
					H[2] = (H[2]+c) & 0xffffffff; 
					H[3] = (H[3]+d) & 0xffffffff; 
					H[4] = (H[4]+e) & 0xffffffff;
					H[5] = (H[5]+f) & 0xffffffff;
					H[6] = (H[6]+g) & 0xffffffff; 
					H[7] = (H[7]+h) & 0xffffffff; 
			}

			return Sha256.toHexStr(H[0]) + Sha256.toHexStr(H[1]) + Sha256.toHexStr(H[2]) + Sha256.toHexStr(H[3]) + 
						 Sha256.toHexStr(H[4]) + Sha256.toHexStr(H[5]) + Sha256.toHexStr(H[6]) + Sha256.toHexStr(H[7]);
	}

	Sha256.ROTR = function(n, x) { return (x >>> n) | (x << (32-n)); }
	Sha256.Sigma0 = function(x) { return Sha256.ROTR(2,  x) ^ Sha256.ROTR(13, x) ^ Sha256.ROTR(22, x); }
	Sha256.Sigma1 = function(x) { return Sha256.ROTR(6,  x) ^ Sha256.ROTR(11, x) ^ Sha256.ROTR(25, x); }
	Sha256.sigma0 = function(x) { return Sha256.ROTR(7,  x) ^ Sha256.ROTR(18, x) ^ (x>>>3);  }
	Sha256.sigma1 = function(x) { return Sha256.ROTR(17, x) ^ Sha256.ROTR(19, x) ^ (x>>>10); }
	Sha256.Ch = function(x, y, z)  { return (x & y) ^ (~x & z); }
	Sha256.Maj = function(x, y, z) { return (x & y) ^ (x & z) ^ (y & z); }

	//
	// hexadecimal representation of a number 
	//   (note toString(16) is implementation-dependant, and  
	//   in IE returns signed numbers when used on full words)
	//
	Sha256.toHexStr = function(n) {
		var s="", v;
		for (var i=7; i>=0; i--) { v = (n>>>(i*4)) & 0xf; s += v.toString(16); }
		return s;
	}


	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
	/*  Utf8 class: encode / decode between multi-byte Unicode characters and UTF-8 multiple          */
	/*              single-byte character encoding (c) Chris Veness 2002-2010                         */
	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

	var Utf8 = {};  // Utf8 namespace

	/**
	 * Encode multi-byte Unicode string into utf-8 multiple single-byte characters 
	 * (BMP / basic multilingual plane only)
	 *
	 * Chars in range U+0080 - U+07FF are encoded in 2 chars, U+0800 - U+FFFF in 3 chars
	 *
	 * @param {String} strUni Unicode string to be encoded as UTF-8
	 * @returns {String} encoded string
	 */
	Utf8.encode = function(strUni) {
		// use regular expressions & String.replace callback function for better efficiency 
		// than procedural approaches
		var strUtf = strUni.replace(
				/[\u0080-\u07ff]/g,  // U+0080 - U+07FF => 2 bytes 110yyyyy, 10zzzzzz
				function(c) { 
					var cc = c.charCodeAt(0);
					return String.fromCharCode(0xc0 | cc>>6, 0x80 | cc&0x3f); }
			);
		strUtf = strUtf.replace(
				/[\u0800-\uffff]/g,  // U+0800 - U+FFFF => 3 bytes 1110xxxx, 10yyyyyy, 10zzzzzz
				function(c) { 
					var cc = c.charCodeAt(0); 
					return String.fromCharCode(0xe0 | cc>>12, 0x80 | cc>>6&0x3F, 0x80 | cc&0x3f); }
			);
		return strUtf;
	}

	/**
	 * Decode utf-8 encoded string back into multi-byte Unicode characters
	 *
	 * @param {String} strUtf UTF-8 string to be decoded back to Unicode
	 * @returns {String} decoded string
	 */
	Utf8.decode = function(strUtf) {
		// note: decode 3-byte chars first as decoded 2-byte strings could appear to be 3-byte char!
		var strUni = strUtf.replace(
				/[\u00e0-\u00ef][\u0080-\u00bf][\u0080-\u00bf]/g,  // 3-byte chars
				function(c) {  // (note parentheses for precence)
					var cc = ((c.charCodeAt(0)&0x0f)<<12) | ((c.charCodeAt(1)&0x3f)<<6) | ( c.charCodeAt(2)&0x3f); 
					return String.fromCharCode(cc); }
			);
		strUni = strUni.replace(
				/[\u00c0-\u00df][\u0080-\u00bf]/g,                 // 2-byte chars
				function(c) {  // (note parentheses for precence)
					var cc = (c.charCodeAt(0)&0x1f)<<6 | c.charCodeAt(1)&0x3f;
					return String.fromCharCode(cc); }
			);
		return strUni;
	}

	/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

	$provide.factory('crc32', function() {
		return crc32;
	});

	$provide.factory('sha256', function() {
		return Sha256;
	});
});

Offline

#34 2014-09-15 07:29:37

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

@EsmondDB @DigDiver
I've added both links to the "Third party Samples" page of this forum.
See http://synopse.info/forum/viewtopic.php … 518#p12518

Thanks a lot for sharing!
Such code is very helpful.
Especially when using "trendy" solutions like TypeScript of AngularJS.
big_smile

Offline

#35 2014-09-16 06:41:06

DigDiver
Member
Registered: 2013-04-29
Posts: 137

Re: Javascript authentication

I uploaded whole JavaScript project to the Dropbox:

https://www.dropbox.com/s/ex9pfemvwmp4kba/www.zip?dl=0

but to understand how it works is better to download Software (G-Lock EasyMail) from a topic http://synopse.info/forum/viewtopic.php?id=1954
and visit browser url: http://127.0.0.1:50888/wps/www/index.html

Offline

#36 2014-09-16 11:31:14

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

Thanks for sharing!

I've included the main part of it to http://synopse.info/fossil/dir?ci=trunk … &type=tree
May be helpful as reference.

Offline

#37 2014-09-18 00:56:59

warleyalex
Member
From: Sete Lagoas-MG, Brasil
Registered: 2013-01-20
Posts: 250

Re: Javascript authentication

Hi, I've created an experimental web app using AngularJS with mORMot.
Wacky Races with mORMot See at http://synopse.info/forum/viewtopic.php?id=2030

Can you confirm that there's an authentication issue with Firefox (my FF is ver. 8). Chrome is working fine.
Thanks a lot for sharing.

Last edited by warleyalex (2014-09-21 00:09:48)

Offline

#38 2014-09-18 07:44:02

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

Great!
Some code to share?

Offline

#39 2014-09-23 20:43:03

warleyalex
Member
From: Sete Lagoas-MG, Brasil
Registered: 2013-01-20
Posts: 250

Re: Javascript authentication

Usually, to match the mORMOt authentication, you have something like:

http://127.0.0.1:888/service/TimeStamp
http://127.0.0.1:888/service/auth?UserName=User
http://127.0.0.1:888/service/auth?UserN … 20c3f9981e

I've just modified some code to match the authentication using two handshakes:

http://127.0.0.1:888/service/auth?UserName=User
http://127.0.0.1:888/service/auth?UserN … 20c3f9981e

In my tidier JS, I don't use TimeStamp (to return the server time stamp).  Is there any problem with this approach?

Offline

#40 2014-09-23 22:11:38

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

No, AFAIR the TimeStamp service is used only for the ORM (TModTime and TCreateTime fields), not for authentication itself.

Offline

#41 2014-09-24 07:12:25

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,534
Website

Re: Javascript authentication

Yes, TimeStamp service is not mandatory for authentication. But only in case we sure client & server time is synchronized. This is true for enterprise, but not true for usual user. So,  like in code DigDiver  provide it used to calculate difference between client time and server timeStamp to allow login for users with wrong time. In my application I do not do that for security reasons, but sometimes it make sense.

Offline

#42 2016-01-25 12:52:11

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

Re: Javascript authentication

I've put an improved version of my typescript client on GitHub:

https://github.com/esmondb/mORMot-Typescript-client

No guarantees for 'fitness for purpose' but any feedback welcome!

Offline

#43 2016-01-25 13:35:44

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

Nice work!

I’ve just added TypeScript types to the mORMot wrappers (like boolean, number, string…).
See http://synopse.info/fossil/info/4a043d72b9b

So that we may generate “interface” types for all ORM classes and SOA services.
And define some dedicated types in mORMotClient.ts, e.g. TID, TGUID and others, so that we may be able to consume any mORMot services

We need to fix also the Int64 issue with JS 53-bit precision: TID are truncated to 53-bit, so we would need to transfer such true Int64 numbers as JSON...
There is no issue with TTimeLog (which has a 38-bit precision). But TID (and TRecordReference), and more generally Int64 values need to be handled as expected...

Offline

#44 2016-01-25 14:47:01

edwinsn
Member
Registered: 2010-07-02
Posts: 1,215

Re: Javascript authentication

Great! Well done!


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

#45 2016-02-05 10:37:15

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

See http://synopse.info/fossil/info/1b262fa76e about a first attempt to circumvent awfull JavaScript limitation of 53-bit for integers serialization.
If rsoGetID_str is added to TSQLRestServer.Options, it will add an additional "ID_str":"12345" field to the standard "ID":12345 field for AJAX clients.

It will work for the main TSQLRecord.ID field only by now.
We may have to handle other 64-bit fields which may appear in TSQLRecord definition.

Offline

#46 2016-02-05 14:23:30

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

Re: Javascript authentication

Thanks for adding this option.

I slightly dread trying to handle 64bit IDs in javascript. My plan at the moment is to ignore IDs bigger than javascript's 53-bit limit for javascript clients - it's unlikely I'll need anything larger than 32bit.

Offline

#47 2016-02-05 15:49:32

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,534
Website

Re: Javascript authentication

BTW OData protocol serialize Int46 as string in form "123124234524543L". But my personal opinion is to limit a ID to 53 bit's values (in the TSynUniqueIdentifierGenerator for example)

Offline

#48 2016-02-05 19:37:40

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: Javascript authentication

53 bit is too low IMHO.
I don't care about JavaScript limitation: just use a string within JavaScript, and leave Delphi code stay with 64 bit IDs.

See the context here http://stackoverflow.com/a/34989371/458259
and why I go into adding a "id_str":"...." new field.

Offline

#49 2016-02-06 08:03:35

edwinsn
Member
Registered: 2010-07-02
Posts: 1,215

Re: Javascript authentication

I think ab's approach is good - using string values instead, it offers flexibility.


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

#50 2016-02-24 16:10:02

albanirneves
Member
Registered: 2016-02-24
Posts: 1

Re: Javascript authentication

This is my working class code Ext.js.Auth I use with ExtJS 6.0 and mORMot backend:

Ext.define('Ext.js.Auth', {
    singleton: true,

    server: "http://127.0.0.1:8030",
    root: "root",

    start: function (operation, action){
        this.getServerToken();

        this.operation = operation;
        this.action = action;
    },

    getServerToken: function () {
        var params = "/Auth?UserName=" + Ext.$('login')[0].getViewModel().get('user');
        this.request(params, this.getSessionToken, this);  
    },

    getSessionToken: function (serverToken, scope) {
        var me = scope,
            clientToken = "", 
            params = "", 
            d = new Date(),
            password = me.sha256("salt" + Ext.$('login')[0].getViewModel().get('password')),
            userName = Ext.$('login')[0].getViewModel().get('user');

        clientToken += d.getFullYear().toString();
        clientToken += '-' + me.zeroLeft(d.getMonth().toString(), 2);
        clientToken += '-' + me.zeroLeft(d.getDate().toString(), 2) + ' ';
        clientToken += me.zeroLeft(d.getHours().toString(), 2);
        clientToken += ':' + me.zeroLeft(d.getMinutes().toString(), 2);
        clientToken += ':' + me.zeroLeft(d.getSeconds().toString(), 2);
        clientToken = me.sha256(clientToken);

        params = "/Auth?UserName=" + userName + "&Password=" + 
            me.sha256(me.root + serverToken + clientToken + userName + password) +
            "&ClientNonce=" + clientToken;

        me.request(params, me.assignOperation, me);
    },

    assignOperation: function (sessionToken, scope) {
        var me = scope,
            sessionToken = JSON.parse(sessionToken).result,
            sessionId = parseInt(sessionToken.slice(0, sessionToken.indexOf("+"))),
            sessionSignature = me.zeroLeft(sessionId.toString(16).toUpperCase(), 8);

        me.operation.getProxy().setExtraParam('session_signature', sessionSignature);
        me.executeOperation(me);
    },

    executeOperation: function (scope) {
        scope.operation.execute(scope.action);
    },

    request: function (url, callback, scope) {
        var xhr = new XMLHttpRequest(),
            me = scope;

        xhr.withCredentials = false;

        xhr.addEventListener("readystatechange", function (e) {
            if (xhr.readyState == 4 && xhr.status == "200") {
                callback(xhr.responseText, me);
                
            } else if (xhr.readyState == 4 && xhr.status == "400"){
                Ext.Note('error', 'Invalid Authentication');

            } else if (xhr.readyState == 4){
                Ext.Note('error', 'Server Error');
            }
        });

        xhr.open("GET", me.server + "/" + this.root + url);
        xhr.send(null);
    },

    zeroLeft: function (s, chars) {
        s = (s && s.toString) ? s.toString() : '';

        while(s.length < chars){
            s = '0' + s;
        }

        return s
    },

    utf8Encode: function (string) {
        var utftext = "",
            string = string.replace(/\r\n/g,"\n");
 
        for (var n = 0; n < string.length; n++) {
            var c = string.charCodeAt(n);
 
            if (c < 128) {
                utftext += String.fromCharCode(c);
            
            } else if((c > 127) && (c < 2048)) {
                utftext += String.fromCharCode((c >> 6) | 192);
                utftext += String.fromCharCode((c & 63) | 128);

            } else {
                utftext += String.fromCharCode((c >> 12) | 224);
                utftext += String.fromCharCode(((c >> 6) & 63) | 128);
                utftext += String.fromCharCode((c & 63) | 128);
            }
        }
 
        return utftext;
    },

    sha256: function (s) {
        var chrsz   = 8,
            hexcase = 0;

        function safe_add (x, y) {
            var lsw = (x & 0xFFFF) + (y & 0xFFFF),
                msw = (x >> 16) + (y >> 16) + (lsw >> 16);

            return (msw << 16) | (lsw & 0xFFFF);
        }

        function S (X, n) {return ( X >>> n ) | (X << (32 - n)); }
        function R (X, n) { return ( X >>> n ); }
        function Ch(x, y, z) { return ((x & y) ^ ((~x) & z)); }
        function Maj(x, y, z) { return ((x & y) ^ (x & z) ^ (y & z)); }
        function Sigma0256(x) { return (S(x, 2) ^ S(x, 13) ^ S(x, 22)); }
        function Sigma1256(x) { return (S(x, 6) ^ S(x, 11) ^ S(x, 25)); }
        function Gamma0256(x) { return (S(x, 7) ^ S(x, 18) ^ R(x, 3)); }
        function Gamma1256(x) { return (S(x, 17) ^ S(x, 19) ^ R(x, 10)); }

        function core_sha256 (m, l) {
            var K = [
                    0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 0x3956C25B, 0x59F111F1, 0x923F82A4, 
                    0xAB1C5ED5, 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 0x72BE5D74, 0x80DEB1FE, 
                    0x9BDC06A7, 0xC19BF174, 0xE49B69C1, 0xEFBE4786, 0xFC19DC6,  0x240CA1CC, 0x2DE92C6F, 
                    0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 
                    0xC6E00BF3, 0xD5A79147, 0x6CA6351,  0x14292967, 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 
                    0x53380D13, 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 0xA2BFE8A1, 0xA81A664B, 
                    0xC24B8B70, 0xC76C51A3, 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 0x19A4C116, 
                    0x1E376C08, 0x2748774C, 0x34B0BCB5, 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 
                    0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 
                    0xC67178F2
                ],
                HASH = [
                    0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 
                    0x5BE0CD19
                ],
                W = [64],
                a, b, c, d, e, f, g, h, i, j, T1, T2;

            m[l >> 5] |= 0x80 << (24 - l % 32);

            m[((l + 64 >> 9) << 4) + 15] = l;

            for (var i = 0; i < m.length; i += 16 ) {
                a = HASH[0];
                b = HASH[1];
                c = HASH[2];
                d = HASH[3];
                e = HASH[4];
                f = HASH[5];
                g = HASH[6];
                h = HASH[7];

                for (var j = 0; j < 64; j++) {
                    if (j < 16) {
                        W[j] = m[j + i];

                    } else {
                        W[j] = safe_add(safe_add(safe_add(Gamma1256(W[j - 2]), W[j - 7]), Gamma0256(W[j - 15])), W[j - 16]);
                    }

                    T1 = safe_add(safe_add(safe_add(safe_add(h, Sigma1256(e)), Ch(e, f, g)), K[j]), W[j]);
                    T2 = safe_add(Sigma0256(a), Maj(a, b, c));
                    h = g;
                    g = f;
                    f = e;
                    e = safe_add(d, T1);
                    d = c;
                    c = b;
                    b = a;
                    a = safe_add(T1, T2);
                }

                HASH[0] = safe_add(a, HASH[0]);
                HASH[1] = safe_add(b, HASH[1]);
                HASH[2] = safe_add(c, HASH[2]);
                HASH[3] = safe_add(d, HASH[3]);
                HASH[4] = safe_add(e, HASH[4]);
                HASH[5] = safe_add(f, HASH[5]);
                HASH[6] = safe_add(g, HASH[6]);
                HASH[7] = safe_add(h, HASH[7]);
            }
            return HASH;
        }

        function str2binb (str) {
            var bin = [],
                mask = (1 << chrsz) - 1;

            for(var i = 0; i < str.length * chrsz; i += chrsz) {
                bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i%32);
            }

            return bin;
        }

        function binb2hex (binarray) {
            var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef",
                str = "";

            for(var i = 0; i < binarray.length * 4; i++) {
                str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4) * 8 + 4)) & 0xF) +
                hex_tab.charAt((binarray[i>>2] >> ((3 - i%4) * 8)) & 0xF);
            }
            return str;
        }

        s = this.utf8Encode(s);

        return binb2hex(core_sha256(str2binb(s), s.length * chrsz));
    }
});


This requires a override model save method:

Ext.define('Overrides.data.Model', {
    override: 'Ext.data.Model',

    //override to enable authentication on server before call a servermethod
    save: function(options) {
        options = Ext.apply({}, options);
        
        var me = this,
            phantom = me.phantom,
            dropped = me.dropped,
            action = dropped ? 'destroy' : (phantom ? 'create' : 'update'),
            scope  = options.scope || me,
            callback = options.callback,
            proxy = me.getProxy(),
            operation;
            
        options.records = [me];
        options.internalCallback = function(operation) {
            var args = [me, operation],
                success = operation.wasSuccessful();
            if (success) {
                Ext.callback(options.success, scope, args);
            } else {
                Ext.callback(options.failure, scope, args);
            }
            args.push(success);
            Ext.callback(callback, scope, args);
        };
        delete options.callback;
        
        operation = proxy.createOperation(action, options);

        if (dropped && phantom) {
            operation.setResultSet(Ext.data.reader.Reader.prototype.nullResultSet);
            me.setErased();
            operation.setSuccessful(true);

        } else {
            //OVERRIDE: force server authentication from Ext.js.Auth
            Ext.js.Auth.start(operation, action);

            //this commented line will be execute after authentication in Ext.js.Auth
            //operation.execute(action);
        }
        return operation;
    }
})

wink

Offline

Board footer

Powered by FluxBB