Implementing your own password hash

willo · 2015-07-27 10:51:57

Hi Ab,

I need to authenticate against an existing user database which calculates a proprietary hash. The easiest way I found to do that was to declare my own TSQLAuthUser. If we make TSQLAuthUser.SetPasswordPlain virtual, I can override the hash calculation and everything works.

Will you apply this to the code base?
procedure SetPasswordPlain(const Value: RawUTF8); virtual;

I think this part of the library needs some work though, it's very tightly bound. Perhaps if one can abstract it out to use interfaces instead, that would make extending it really easy.

PS Article forthcoming.

ab · 2015-07-27 11:27:16

You could sub-class the TSQLAuthUser type, and provide it in the TSQLRest model.
See http://synopse.info/forum/viewtopic.php?id=2053

Or just use the mORMot authentication just for communication, with fixed passwords and users at low level, letting your existing database with its user/password proprietary process be used for high-level authentication.
That is, do not use mORMot authentication for your business authentication.

willo · 2015-07-27 11:40:00

Hi Ab,

Yes, that's what I do:

type
  TDummySQLUser = class(TSQLAuthUser)
  protected
    procedure SetPasswordPlain(const Value: RawUTF8); override;
  public
    constructor Create( aUserName, aPassword : RawUTF8 ); reintroduce;
  end;
  TDummySQLGroup = class(TSQLAuthGroup)
  public
    constructor Create; reintroduce;
  end;

{ TDummySQLUser }

procedure TDummySQLUser.SetPasswordPlain(const Value: RawUTF8);
begin
  PasswordHashHexa := EncryptIBPass( Value );
end;

constructor TDummySQLUser.Create( aUserName, aPassword : RawUTF8 );
begin
  inherited Create;
  fID := 1;
  LogonName := aUserName;
  PasswordHashHexa := aPassword;
  GroupRights := TDummySQLGroup.Create();
end;

{ TDummySQLGroup }

constructor TDummySQLGroup.Create;
begin
  fID := 1;
  Ident := 'User';
end;

and then in my server class:

function TAbstractServer.RetrieveRevelightUser(
  Sender: TSQLRestServerAuthentication; Ctxt: TSQLRestServerURIContext;
  aUserID: TID; const aUserName: RawUTF8): TSQLAuthUser;
var
  Res : ISQLDBRows;
begin
  Result := nil;
  Res := fDbConnection.Execute(
    'select USER_ID, USER_PASSWORD '+
      'from USERS '+
     'where ACTIVE_FLAG=? and '+
           'USER_ID=UPPER(?)',
    [
      cACTIVEFLAG_ACTIVE,
      aUserName
    ]);
  if Res.Step then begin
    Result := TDummySQLUser.Create(Res['USER_ID'], Res['USER_PASSWORD']);
  end;
end;

Which works pretty well, as long as SetPasswordPlain is virtual.

I am experiencing some other issues too. From my test client it looks like my session is disappearing. From the logs I can see the Authentication attempt come through and succeed, but then the next call to [server]/[service]._contract_ I get a

{  "errorCode":403,  "errorText":"Forbidden"  }

response.

esmondb · 2015-07-27 11:58:25

I got the 403 error in a similar situation the other day. I had forgotten to set TSQLAuthGroup.SessionTimeout which reverted to 0.

willo · 2015-07-27 12:12:19

That was a good idea, but setting TSQLAuthGroup.SessionTimeout to 999999 has the same effect

esmondb · 2015-07-27 12:34:08

Maybe there is something wrong with TSQLAuthGroup.SQLAccessRights. Perhaps try setting it to:

const
  SERVICE_ACCESS_RIGHTS: TSQLAccessRights =
    (AllowRemoteExecute: [reService];
    GET: []; POST: [];
    PUT: []; DELETE: []);

willo · 2015-07-27 13:02:08

Thanks esmondb, but I'm starting to think that Ab was right and I should abandon the Auth stuff in mORMot. The issue seems to be that when CreateMissingTables is called, it creates the dummy tables, with no/basic/default information in.
This has the side effect that Group information will always be Admin (when forced to ID:1) and all the group information will always be default.

This doesn't play well with trying to force the Authentication credentials, as it keeps overriding group information from the in memory created group.

When I have more time to play, I'll see if it is possible to derive a new HTTP server that allows for a more flexible authentication/authorization model.

willo · 2015-07-27 13:59:56

Yay! Found the problem!

The issue is in TSQLRestServerAuthenticationHttpBasic.RetrieveSession

Ab, can you please change line mORMot.pas[44879]:

    with TSQLAuthUser.Create do

to:

    with Ctxt.Server.SQLAuthUserClass.Create do

willo · 2015-07-28 14:52:41

*bump*

Would it help if I submit a pull request?

ab · 2015-07-28 15:27:44

Please try http://synopse.info/fossil/info/9363cb2e4d

I also defined the class function ComputeHashedPassword as virtual so that you may use your own hashing algorithm for this TSQLAuthUser class.

willo · 2015-07-29 06:36:28

Thanks Ab!

mORMot Open Source

#1 2015-07-27 10:51:57

Implementing your own password hash

#2 2015-07-27 11:27:16

Re: Implementing your own password hash

#3 2015-07-27 11:40:00

Re: Implementing your own password hash

#4 2015-07-27 11:58:25

Re: Implementing your own password hash

#5 2015-07-27 12:12:19

Re: Implementing your own password hash

#6 2015-07-27 12:34:08

Re: Implementing your own password hash

#7 2015-07-27 13:02:08

Re: Implementing your own password hash

#8 2015-07-27 13:59:56

Re: Implementing your own password hash

#9 2015-07-28 14:52:41

Re: Implementing your own password hash

#10 2015-07-28 15:27:44

Re: Implementing your own password hash

#11 2015-07-29 06:36:28

Re: Implementing your own password hash

Board footer