Mormot Restfull Authorization handshake

DKA · 2017-02-03 13:46:30

Hi,

I'm using Example 14 :
Project14Client and Project14ServerHttp
I'm trying HTTP/TCP-IP connexion (ComboProtocol.ItemIndex =0)
Everything works well.

In the code of Project14Client, I replace user by user222 (who doesn't exist):
case ComboProtocol.ItemIndex of
2: TSQLRestServerAuthenticationNone.ClientSetUser(Client,'User','');
else Client.SetUser('User222','synopse');
end;
I got and error. So far so good.

Now, let's change client

In this video from warleyalex: https://www.youtube.com/watch?v=LIl1HbjxnIA
we can see the process I would like to mimic (about authorization).
Now I'm using a browser + The same server:

if : http://localhost:888/root/auth?UserName=User
result is : {"result":"42f4aeb81c1ef81f771f3de8abca9dcf66901c575530e7672e4b1146474ae650"}
So far so good

But if : http://localhost:888/root/auth?UserName=User222
result is the same (User222 does not exist). This, I do not understand

In documentation : 21.1.3.2. mORMot secure RESTful authentication

it is written :
Here are the typical steps to be followed in order to create a new user session via mORMot authentication scheme:

Client sends a GET ModelRoot/auth?UserName=... request to the remote server - with the above command, it will be GET ModelRoot/auth?UserName=User;
Server answers with a hexadecimal nonce contents (valid for about 5 minutes), encoded as JSON result object;

It is not written that the Nonce answer is only if the user exist

If the behavior I got whit the browser is correct:
- does that mean we can handshake the server with any UserName which is not existing?
- does that mean we could have the same Nonce all the day (if there is thousand users for example)
If the behavior is NOT correct, what did I miss?

Please help.

ab · 2017-02-03 16:34:38

Check TSQLRestServerAuthenticationDefault.Auth method in mORMot.pas.

1. First handshake step works even if UserName is invalid.
It just returns a nonce.
It avoids a DB request at this step, to avoid naive DDOS attack.

2. Nonce will be valid for 5 minutes, and will be the same for 5 minutes.
TSQLRestServerAuthenticationDefault.CheckPassword will accept the request only if the last or previous 5 minutes nonce passes.
So at most, a nonce will be accepted during 10 minutes.

DKA · 2017-02-03 23:18:13

Thanks ab.
I understand it better now.

DKA · 2017-02-09 13:18:17

I'm trying to continue my authentification process. Before trying with a third part tool, I'm trying to make it using Delphi like this :

procedure TForm1.DoAuth;
var ServerNonce,ClientNonce : String;
_http, ModelRoot,CompleteRoot,ComputedPassword,UserName, PassWord, salt : string;
JSONContent : RawJSON;
doc : Variant;
begin
ClientNonce := '12345' ;
CompleteRoot := 'http://localhost:888/root';
ModelRoot := 'root';
UserName:='User';
Password := 'synopse';
salt := 'salt';
Memo1.lines.Clear;

//handshake
_http := 'http://localhost:888/root/auth?UserName=User' ;
Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + ' - ' + '_http >>> ' + _http);
JSONContent := _Json(TWinHTTP.Get(_http));
Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + ' - ' + 'JSONContent >>> ' + JSONContent);
doc := _JsonFast(JSONContent);
ServerNonce :=doc.result;
Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + ' - ' + 'ServerNonce >>> ' + ServerNonce);

//Auth - Copy from documentation
// $ GET ModelRoot/auth?UserName=...
// $ -> returns an hexadecimal nonce contents (valid for 5 minutes)
// $ GET ModelRoot/auth?UserName=...&PassWord=...&ClientNonce=...
// $ -> if password is OK, will open the corresponding session
// $ and return 'SessionID+HexaSessionPrivateKey'
// The Password parameter as sent for the 2nd request will be computed as
// ! Sha256(ModelRoot+Nonce+ClientNonce+UserName+Sha256('salt'+PassWord))

ComputedPassword:= Sha256(ModelRoot+ServerNonce+ClientNonce+UserName+Sha256(salt+PassWord));
_http := CompleteRoot + '/auth?UserName=User&PassWord=' + ComputedPassword + '&ClientNonce=' + ClientNonce;
Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + ' - ' + '_http >>> ' + _http);
JSONContent := _Json(TWinHTTP.Get(_http));
Memo1.Lines.add (inttostr(MillisecondOfTheDay(Now)) + ' - ' + 'JSONContent >>> ' + JSONContent);

//....
//....

end;

Here is the memo1.text:
51070884 - _http >>> http://localhost:888/root/auth?UserName=User
51070897 - JSONContent >>> {"result":"8432386e2c3b0e400891a239cc3678c90f26e43195559dda3e8111f692b880e5"}
51070897 - ServerNonce >>> 8432386e2c3b0e400891a239cc3678c90f26e43195559dda3e8111f692b880e5
51070898 - _http >>> http://localhost:888/root/auth?UserName=User&PassWord=fa8ae08c4e3210e7cc9b13b5b2a7188cddb405cc1323f7003084f785fa35c549&ClientNonce=12345
51070902 - JSONContent >>> {"result":"8432386e2c3b0e400891a239cc3678c90f26e43195559dda3e8111f692b880e5"}

What is wrong with the second call (with password)?

DKA · 2017-02-09 17:11:56

I just realize now that my ClientNonce was not ok (too short).
Sorry.

sonadorje · 2017-02-10 07:28:18

var ClientNonce's length must great then 32 .
Now we can create a GUID by:

function GetGUID: string;        
var
  LTep: TGUID;
begin
  CreateGUID(LTep);
  Result := GUIDToString(LTep);
end;

ClientNonce := GetGUID;

result will be like this:
2017-02-10 15:29:35 - JSONContent >>> {"result":"1217222202+DC28B0E7941311C870624AB83E4BC7ECD5E462940A8F218F78CDDD567ED4B396","logonid":3,"logonname":"User","logondisplay":"User","logongroup":3,"server":"Project14ServerExternal","version":"0.0.0.0"}

Last edited by sonadorje (2017-02-10 07:30:48)

DKA · 2017-02-10 09:26:18

Yes. Using GUID is a good idea. Thanks

mORMot Open Source

#1 2017-02-03 13:46:30

Mormot Restfull Authorization handshake

#2 2017-02-03 16:34:38

Re: Mormot Restfull Authorization handshake

#3 2017-02-03 23:18:13

Re: Mormot Restfull Authorization handshake

#4 2017-02-09 13:18:17

Re: Mormot Restfull Authorization handshake

#5 2017-02-09 17:11:56

Re: Mormot Restfull Authorization handshake

#6 2017-02-10 07:28:18

Re: Mormot Restfull Authorization handshake

#7 2017-02-10 09:26:18

Re: Mormot Restfull Authorization handshake

Board footer