#1 2016-11-28 06:48:04

mohsenti
Member
Registered: 2015-04-11
Posts: 72

Sample REST API with GET request

Hi,

How can I make sample 06 with REST API server so I can get access with simple browser GET request like:

http://localhost:1234/API/sum?a=2&b=3

(Custom port and root is API)
I want that to make a simple API but use it in browser.

Offline

#2 2016-11-28 08:19:15

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Sample REST API with GET request

Export the TServiceServer via HTTP, as in sample 04.
See Unit2.pas file

Don't forget to take a look also the corresponding doc:
http://synopse.info/files/html/Synopse% … ml#TITL_35
and more precisely
http://synopse.info/files/html/Synopse% … l#TITL_140

To make the method available from plain HTTP browser, you need to disable the authentication for the URI:
- either by ensuring aHandleUserAuthentication=false for TSQLRestServerDB.Create
- or using ServiceMethodByPassAuthentication('sum') method

Offline

#3 2016-11-28 10:49:49

edwinsn
Member
Registered: 2010-07-02
Posts: 1,218

Re: Sample REST API with GET request

Folloing ab's instruction, Mainly we need to change two places:

function CreateSampleModel: TSQLModel;
begin
  //result := TSQLModel.Create([TSQLSampleRecord]); // default is 'root'

  // edwin
  result := TSQLModel.Create([TSQLSampleRecord], 'API');
end;

And, note the 3rd param below:

  DB := TMyServer.Create(Model,ChangeFileExt(ExeVersion.ProgramFileName,'.db3'),False);

Now my question to Arnaud:
Would you or other knowledgeable people  give us further some more instruction on authentication from the browser, using plain js? I mean:

1-  Login, we need to transfer the username and password to the server;
2 - Session management, each client (web browsers) need to maintain its login status, maybe using standard cookies? (Note, I read your doc, you mentioned cookies, but did not provide sample code smile.


BTW, I found a very **simple** and easy to understand frond end framework, called intercooler.js
Thanks.

Last edited by edwinsn (2016-11-28 11:55:09)


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

#4 2016-11-28 11:41:02

jbroussia
Member
From: France
Registered: 2011-04-09
Posts: 74

Re: Sample REST API with GET request

Yeah, I'm there too. Also trying to get some code from warleyalex who put videos on Youtube doing just that, but he seems to have disappeared ?

Offline

#5 2016-11-28 11:50:15

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Sample REST API with GET request

intercooler.js is indeed an awsome way of interacting with REST servers.
I didn't know about it.

For browser-only authentication, you could use BASIC or DIGEST mechanism (over a secure https link).
Or rather use URI-based default authentication of mORMot, but intercepting each URI calls.
Perhaps $(document).on("beforeAjaxSend.ic" is the way of adding authentication for intercooler.

Offline

#6 2016-11-28 12:55:05

edwinsn
Member
Registered: 2010-07-02
Posts: 1,218

Re: Sample REST API with GET request

OK,  came up with a idea for integrating authentication for web browsers. Does the following make sense?


Handling user login:
===
  1 - The browser submits a form, containing the username and password.
  2 - Somewhere on the server side, such as TMyRestServer.Login(), check the username and password, if both of them are correct, generate a ramdom string, such as "b6tUVDzb5vGs6kMuF3SfSv2v8CTemHTBmJmmwrA8", push that string into a server-side 'LoggedInUserTokenList', and store that string as a cookie value in the client side, via TSQLRestServerURIContext.OutSetCookie, something like:

OutSetCookie := '"userToken=b6tUVDzb5vGs6kMuF3SfSv2v8CTemHTBmJmmwrA8"';

  3 - done. From this point, according to the HTTP protocol, every http requests from that browser will automatically include the userToken cookie we set just now.

Check if the current user is logged in:
===
  1 - In OnBeforeURI, check the input cookie value called userToken, via TSQLRestServerURIContext.InCookie, if the value can be found in 'LoggedInUserTokenList', then it means the user is logged in, we allow the execution to continue, otherwise return False and redirect it to TMyRestServer.Login().

Am I correct? Thanks.


Edit 1:
A similar idea is better described here: http://stackoverflow.com/a/32218069/133516
My next reading is about JWT, which seems to go furhter than the approach described above.

Last edited by edwinsn (2016-11-28 14:39:30)


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

#7 2016-11-28 16:19:50

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Sample REST API with GET request

AFAIK JWT seems not integrated to intercooler.js, but we may easily add its support within mORMot.

Offline

#8 2016-11-29 07:15:28

edwinsn
Member
Registered: 2010-07-02
Posts: 1,218

Re: Sample REST API with GET request

ab wrote:

AFAIK JWT seems not integrated to intercooler.js, but we may easily add its support within mORMot.

There are other standalone js lib for JWT. But I don't think we need to follow the JWT spec strictly? The "Token-based authentication" described in the link below is quite sufficient, I guess:

http://security.stackexchange.com/a/92123/49761


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

#9 2016-11-29 07:58:06

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Sample REST API with GET request

The mORMot scheme is a Session-based Authentication.
There is a light in-memory session handled on the server.
Since each session has an expiration time, and uses very little resource, it is a very good balance between power of use and server load.
To be fair, any token-based authentication requires CPU power (e.g. to compute the HMAC which is not trivial), or it will use some RAM for a cache of previous token, so it ends with some kind of server-side session management...

But both Session-based Authentication and Token-based Authentication, as presented in this link, are weak.
Both use a single token, which is very sensitive to MiM and Replay attacks.
Whereas mORMot scheme has an URL-based authentication: each URL has its own signature, which is stronger than a token.

So instead of JWT, or any other Token-based Authentication (including OAuth2), the mORMot URL signature sounds a safer approach.
mORMot URL signature may be used over a plain http link, whereas any token-based auth require a https link.

Offline

#10 2016-11-29 11:26:36

mohsenti
Member
Registered: 2015-04-11
Posts: 72

Re: Sample REST API with GET request

So the code will be like this:

program ProjectServer;

{$APPTYPE CONSOLE}

uses
  SynCommons,
  mORMot,
  SysUtils,
  mORMotHttpServer;

type

  { TServiceServer }

  TServiceServer = class(TSQLRestServerFullMemory)
  published
    procedure Sum(Ctxt: TSQLRestServerURIContext);
  end;


  { TServiceServer }

  procedure TServiceServer.Sum(Ctxt: TSQLRestServerURIContext);
  begin
    Ctxt.Results([Ctxt['a'] + Ctxt['b']]);
  end;

var
  aModel: TSQLModel;
  aRestServ: TSQLHttpServer;
  aRest: TServiceServer;
  aDef: TSQLHttpServerDefinition;
begin
  aModel := TSQLModel.Create([]);
  try
    aDef := TSQLHttpServerDefinition.Create;
    aDef.Https := False;
    aDef.BindPort := '888';
    aDef.EnableCORS := True;
    aDef.WebSocketPassword := '';
    aRest := TServiceServer.Create(aModel);
    aRestServ := TSQLHttpServer.Create(aRest, aDef);
    with aRest do
      try
        Write('Press [Enter] to close the server.');
        readln;
      finally
        Free;
      end;
  finally
    aRestServ.Free;
    aDef.Free;
    aModel.Free;
  end;
end.

Right?

Now some question to understand better how should I work:
1- Should I use this sample server on real server or I should make it work with Apache for example? Also for HTTPS?
2-Should I use it as this server or somehow make it a cgi? how?
3-Where can I read about make a simple authentication like a simple for example API key?
I tried to read the examples and doc but they are so easy or so complicated and I want to know "How to run a very simple API in my server with mORMot in real project". What are the steps?

Offline

#11 2016-11-29 12:55:03

edwinsn
Member
Registered: 2010-07-02
Posts: 1,218

Re: Sample REST API with GET request

@mohsenti,

Sorry for hijacking the thread, Although I think if you are asking about the web client accessing a mORMot server, my questions posted here are relavant and might be also helpful to you smile

@ab,
Then the mORMot's schema is very cool! But how to interact it with JavaScript inside a web browser? Can you show me some example code? Pseudo code would be enough smile


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

#12 2016-11-29 13:41:33

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,571
Website

Re: Sample REST API with GET request

@edwinsn Did you read this thread? Hope it's help

Offline

#13 2016-12-04 19:36:26

mohsenti
Member
Registered: 2015-04-11
Posts: 72

Re: Sample REST API with GET request

Any answer?

Offline

#14 2016-12-06 15:51:11

edwinsn
Member
Registered: 2010-07-02
Posts: 1,218

Re: Sample REST API with GET request

mpv wrote:

@edwinsn Did you read this thread? Hope it's help

I haven't, but I will do so soon! Thanks!


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

Board footer

Powered by FluxBB