[TSQLAuthUser] disable a user

Sabbiolina · 2014-09-25 21:31:22

Hi AB.

After reading the SAD and the blog sulla'autenticazione permission and I was wondering if we could add a field to disable the user.

I already did some tests and everything seems clear and straightforward.

Tested and working:

function TSQLRestServerAuthentication.GetUser(Ctxt: TSQLRestServerURIContext;
  const aUserName: RawUTF8): TSQLAuthUser;
begin
  result := fServer.fSQLAuthUserClass.Create(fServer,'LogonName=?',[aUserName]);
  if result.fID=0 then begin
    {$ifdef WITHLOG}
    fServer.fLogFamily.SynLog.Log(sllUserAuth,
      'User.LogonName=% not found in AuthUser table',[aUserName],self);
    {$endif}
    FreeAndNil(result);
  end
  else if not result.fenabled then // added part <<-------------------------------------------

  begin
    {$ifdef WITHLOG}
    fServer.fLogFamily.SynLog.Log(sllUserAuth,
      'User.LogonName=% Disabled',[aUserName],self);
    {$endif}
    FreeAndNil(result);
  end;
end;

We must of course add the field "enabled" in the class.

  /// class of the table containing the available user access rights for authentication
  TSQLAuthGroupClass = class of TSQLAuthGroup;

  {/ table containing the Users registered for authentication
    - this class should be added to the TSQLModel, together with TSQLAuthGroup,
      to allow authentication support
    - you can inherit from it to add your custom properties to each user info:
      TSQLModel will search for any class inheriting from TSQLAuthUser to manage
      per-user authorization data
    - by default, it won't be accessible remotely by anyone; to enhance security,
      you could use the TSynValidatePassWord filter to this table  }
  TSQLAuthUser = class(TSQLRecord)
  protected
    fLogonName: RawUTF8;
    fPasswordHashHexa: RawUTF8;
    fDisplayName: RawUTF8;
    fenabled: boolean; //<<----------------------------------------------------------------------------
    fGroup: TSQLAuthGroup;
    fData: TSQLRawBlob;
    procedure SetPasswordPlain(const Value: RawUTF8);
  public
    /// able to set the PasswordHashHexa field from a plain password content
    // - in fact, PasswordHashHexa := SHA256('salt'+PasswordPlain) in UTF-8
    property PasswordPlain: RawUTF8 write SetPasswordPlain;
  published
    /// the User identification Name, as entered at log-in
    // - the same identifier can be used only once (this column is marked as
    // unique via a "stored AS_UNIQUE" - i.e. "stored false" - attribute), and
    // therefore indexed in the database (e.g. hashed in TSQLRestStorageInMemory)
    property LogonName: RawUTF8 index 20 read fLogonName write fLogonName stored AS_UNIQUE;
    /// the User Name, as may be displayed or printed
    property DisplayName: RawUTF8 index 50 read fDisplayName write fDisplayName;
    /// the UserID is gsw usercode
    /// the hexa encoded associated SHA-256 hash of the password
    property PasswordHashHexa: RawUTF8 index 64 read fPasswordHashHexa write fPasswordHashHexa;
    /// the associated access rights of this user
    // - access rights are managed by group
    // - in TAuthSession.User instance, GroupRights property will contain a
    // REAL TSQLAuthGroup instance for fast retrieval in TSQLRestServer.URI
    // - note that 'Group' field name is not allowed by SQLite
    property GroupRights: TSQLAuthGroup read fGroup write fGroup;
    /// some custom data, associated to the User
    // - Server application may store here custom data
    // - its content is not used by the framework but 'may' be used by your
    // application
    property Data: TSQLRawBlob read fData write fData;

    // enabled or not   <<----------------------------------------------------------------------------
    property Enabled: boolean read Fenabled write Fenabled; // <<----------------------------------------------------------------------------
  end;

DigDiver · 2014-09-26 06:07:01

To do this you can create custom AuthUser class and inherit if from the TSQLAuthUser class, for example:

Type
 TAuthUser = class(TSQLAuthUser)
  protected
   FCreated   : TDateTime;
   FEmail     : RawUTF8;
   FFirstName : RawUTF8;
   FLastName  : RawUTF8;
   FValidTill : TDateTime;
   FGuid      : RawUTF8;
 published
  property Created : TDateTime read FCreated write FCreated;
  property Email : RawUTF8 read FEmail write FEmail;
  property FirstName : RawUTF8 read FFirstName write FFirstName;
  property LastName : RawUTF8 read FLastName write FLastName;
  property ValidTill : TDateTime read FValidTill write FValidTill;
  property Guid : RawUTF8 read FGuid write FGuid;
 end;

And you must add this new class to the model:

 GroupsModel    := TSQLModel.Create([TAuthUser, TAuthGroup, ..., FormatUtf8('wp/%/group',[ServerLogon.WPID]) );

Last edited by DigDiver (2014-09-26 06:07:31)

Sabbiolina · 2014-09-26 07:40:20

To add some field for sure is the right way.
But here we are talking about authentication.
There is no callback to validate the user with additional fields.

ab · 2014-09-26 09:40:42

Perhaps add a virtual method may be an idea.

Could you please create a feature request ticket and Link to this thread.

Sabbiolina · 2014-09-26 10:01:12

Surely you can have a method to finish the authentication may be interesting:
You could for example authenticate a user only if the source ip is the right one,
or on an hourly basis.
As well as keeping an eye on failed attempts.

ab · 2014-09-26 12:29:04

We have introduced virtual method TSQLAuthUser.CanUserLog() to ensure authentication is allowed for particular user.
See http://synopse.info/fossil/info/32c95e7f5a

mORMot Open Source

#1 2014-09-25 21:31:22

[TSQLAuthUser] disable a user

#2 2014-09-26 06:07:01

Re: [TSQLAuthUser] disable a user

#3 2014-09-26 07:40:20

Re: [TSQLAuthUser] disable a user

#4 2014-09-26 09:40:42

Re: [TSQLAuthUser] disable a user

#5 2014-09-26 10:01:12

Re: [TSQLAuthUser] disable a user

#6 2014-09-26 12:29:04

Re: [TSQLAuthUser] disable a user

Board footer