#1 2017-02-03 13:46:30

DKA
Member
Registered: 2016-07-05
Posts: 39

Mormot Restfull Authorization handshake

Hi,

I'm using Example 14 :
Project14Client and Project14ServerHttp
I'm trying HTTP/TCP-IP connexion (ComboProtocol.ItemIndex =0)
Everything works well.

In the code of Project14Client, I replace user by user222 (who doesn't exist):
    case ComboProtocol.ItemIndex of
    2:   TSQLRestServerAuthenticationNone.ClientSetUser(Client,'User','');
    else Client.SetUser('User222','synopse');
    end;
I got and error. So far so good.

Now, let's change client

In this video from warleyalex: https://www.youtube.com/watch?v=LIl1HbjxnIA
we can see the process I would like to mimic (about authorization).
Now I'm using a browser + The same server:

if : http://localhost:888/root/auth?UserName=User
result is : {"result":"42f4aeb81c1ef81f771f3de8abca9dcf66901c575530e7672e4b1146474ae650"}
So far so good

But if : http://localhost:888/root/auth?UserName=User222
  result is the same (User222 does not exist). This, I do not understand

In documentation : 21.1.3.2. mORMot secure RESTful authentication

it is written :
                 Here are the typical steps to be followed in order to create a new user session via mORMot authentication scheme:

                 Client sends a GET ModelRoot/auth?UserName=... request to the remote server - with the above command, it will be GET ModelRoot/auth?UserName=User;
                 Server answers with a hexadecimal nonce contents (valid for about 5 minutes), encoded as JSON result object;

It is not written that the Nonce answer is only if the user exist

If the behavior I got whit the browser is correct:
  - does that mean we can handshake the server with any UserName which is not existing?
  - does that mean we could have the same Nonce all the day (if there is thousand users for example)
If the behavior is NOT correct, what did I miss?

Please help.

Offline

#2 2017-02-03 16:34:38

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Mormot Restfull Authorization handshake

Check TSQLRestServerAuthenticationDefault.Auth method in mORMot.pas.

1. First handshake step works even if UserName is invalid.
It just returns a nonce.
It avoids a DB request at this step, to avoid naive DDOS attack.

2. Nonce will be valid for 5 minutes, and will be the same for 5 minutes.
TSQLRestServerAuthenticationDefault.CheckPassword will accept the request only if the last or previous 5 minutes nonce passes.
So at most, a nonce will be accepted during 10 minutes.

Offline

#3 2017-02-03 23:18:13

DKA
Member
Registered: 2016-07-05
Posts: 39

Re: Mormot Restfull Authorization handshake

Thanks ab.
I understand it better now.

Offline

#4 2017-02-09 13:18:17

DKA
Member
Registered: 2016-07-05
Posts: 39

Re: Mormot Restfull Authorization handshake

I'm trying to continue my authentification process. Before trying with a third part tool, I'm trying to make it using Delphi like this :

procedure TForm1.DoAuth;
var ServerNonce,ClientNonce : String;
    _http, ModelRoot,CompleteRoot,ComputedPassword,UserName, PassWord, salt : string;
    JSONContent : RawJSON;
    doc : Variant;
begin
  ClientNonce := '12345'  ;
  CompleteRoot :=  'http://localhost:888/root';
  ModelRoot :=  'root';
  UserName:='User';
  Password := 'synopse';
  salt := 'salt';
  Memo1.lines.Clear;

  //handshake
  _http := 'http://localhost:888/root/auth?UserName=User'  ;
  Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + '  -  ' + '_http >>> ' + _http);
  JSONContent := _Json(TWinHTTP.Get(_http));
  Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + '  -  ' + 'JSONContent >>> ' + JSONContent);
  doc := _JsonFast(JSONContent);
  ServerNonce :=doc.result;
  Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + '  -  ' + 'ServerNonce >>> ' + ServerNonce);

  //Auth - Copy from documentation
    // $ GET ModelRoot/auth?UserName=...
    // $  -> returns an hexadecimal nonce contents (valid for 5 minutes)
    // $ GET ModelRoot/auth?UserName=...&PassWord=...&ClientNonce=...
    // $ -> if password is OK, will open the corresponding session
    // $    and return 'SessionID+HexaSessionPrivateKey'
    // The Password parameter as sent for the 2nd request will be computed as
    // ! Sha256(ModelRoot+Nonce+ClientNonce+UserName+Sha256('salt'+PassWord))

  ComputedPassword:= Sha256(ModelRoot+ServerNonce+ClientNonce+UserName+Sha256(salt+PassWord));
  _http := CompleteRoot + '/auth?UserName=User&PassWord=' + ComputedPassword + '&ClientNonce=' + ClientNonce;
  Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + '  -  ' + '_http >>> ' + _http);
  JSONContent := _Json(TWinHTTP.Get(_http));
  Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + '  -  ' + 'JSONContent >>> ' + JSONContent);

  //....
  //....

end;



Here is the memo1.text:
51070884  -  _http >>> http://localhost:888/root/auth?UserName=User
51070897  -  JSONContent >>> {"result":"8432386e2c3b0e400891a239cc3678c90f26e43195559dda3e8111f692b880e5"}
51070897  -  ServerNonce >>> 8432386e2c3b0e400891a239cc3678c90f26e43195559dda3e8111f692b880e5
51070898  -  _http >>> http://localhost:888/root/auth?UserName=User&PassWord=fa8ae08c4e3210e7cc9b13b5b2a7188cddb405cc1323f7003084f785fa35c549&ClientNonce=12345
51070902  -  JSONContent >>> {"result":"8432386e2c3b0e400891a239cc3678c90f26e43195559dda3e8111f692b880e5"}

What is wrong with the second call (with password)?

Offline

#5 2017-02-09 17:11:56

DKA
Member
Registered: 2016-07-05
Posts: 39

Re: Mormot Restfull Authorization handshake

I just realize now that my ClientNonce was not ok (too short).
Sorry.

Offline

#6 2017-02-10 07:28:18

sonadorje
Member
Registered: 2016-12-20
Posts: 13

Re: Mormot Restfull Authorization handshake

var ClientNonce's length must great then 32 .
Now we can create a GUID by:

function GetGUID: string;        
var
  LTep: TGUID;
begin
  CreateGUID(LTep);
  Result := GUIDToString(LTep);
end;

ClientNonce := GetGUID;

result will be like this:
2017-02-10 15:29:35  -  JSONContent >>> {"result":"1217222202+DC28B0E7941311C870624AB83E4BC7ECD5E462940A8F218F78CDDD567ED4B396","logonid":3,"logonname":"User","logondisplay":"User","logongroup":3,"server":"Project14ServerExternal","version":"0.0.0.0"}

Last edited by sonadorje (2017-02-10 07:30:48)

Offline

#7 2017-02-10 09:26:18

DKA
Member
Registered: 2016-07-05
Posts: 39

Re: Mormot Restfull Authorization handshake

Yes. Using GUID is a good idea. Thanks

Offline

Board footer

Powered by FluxBB