About user authentication

shobits1 · 2018-01-31 02:23:26

I started playing with TMVCApplication to create a web application for library management; with beginner experience on mormot, I found myself struggling on my first 2 problems.

1. I want to create 2 applications one for admins and stuff,, the other one for the students and guests; I don't know if this the best approach (I can use only one app) but I decided to go this way and explore if it is good.... the first obstacle is sharing the MVCSession between the 2 applications so if student has role of stuff he can switch between the two without login again. (for now I created third app for login and this app passes it's MVCSession to other 2 so they won't create their own and all three have the same MVCSession)

it looks like this (I don't like it),, but I don't know how to do it other way.

aServer := TUMSRestServerDB.Create('UMS'); 
aHTTPServer := TUMSHttpServer.Create('80', [aServer]);

aUserRightsApp := TUserRightsApplication.Create;
aUserRightsApp.Start(aServer, '', 'Logins', nil); // passing nil makes app creates it's own MVCSession
                                                              // login won't have sub URI like admin and student
aAdminApp := TUMSAdminApplication.Create;
aAdminApp.Start(aServer, 'Admin', 'Admins',aUserRightsApp.CurrentSession);

aAgentStudent := TUMSStudentApplication.Create;
aAgentStudent.Start(aServer, 'Student', 'Students',aUserRightsApp.CurrentSession);

// Logins, Admins, Students are the names of static folders for each application
// application my have separated servers in future and probably AdminApp will be used locally and StudentApp will serve over internet (just an idea)

Accessing will look like this:
[SERVER]/UMS/login
[SERVER]/UMS/Admin/AdminView
[SERVER]/UMS/Student/StudentView

2. I use this for Javascript authentication, for now I tested it with default user (username:User, password:synopse) it works fine,,, but if I go to the login page again I can login infinitely and server creates new Session instance each login... how should I handle this so the user won't be able to access the login page once loged in and have only one session per user.

Any advice will be much appreciated.

thanks in advance and thank you ab for your great work.

ab · 2018-01-31 09:06:27

1. I didn't remember the Start() method could receive the MVCSession of another instance.
I guess this is how it should be done.

2. Why use JavaScript authentication, which is for REST services, not for MVC access?
Perhaps you are confusing the two context.
MVC does not use the REST authentication.

shobits1 · 2018-01-31 13:52:47

the Start () method is overridden method which accepts MVCSession.

2. how should I use authentication with MVC?? I want to use the mormot authentication scheme which is better than anything I would come up with.

btw, I vaguely differentiate between REST and MVC, since REST is always accessible from the browser, and in fact I'll use it with Ajax for lazy loading .

ab · 2018-01-31 14:03:24

Our REST authentication request that a signature is appended to every URL.
This is easy with an AJAX request, but not feaseable with a web application.
For web applications, use cookies, as proposed by MVC.

shobits1 · 2018-01-31 17:00:02

I'll try to reread the documentation and understand the samples better,, but one last question, can I use REST authentication and MVC access (cookies) at the same time (with only one login), since I'll use ajax to interact with REST and MVC controller to grant proper access to each user.

BTW, are fake URI (ex. root/methodname/json) belongs to REST or the MVC.

now, I know I'm trying to mix two things which may complicate things for better or for worse; but I really lost here.

I keep forgetting to thank you,, so thank you very much for your help.

Last edited by shobits1 (2018-01-31 17:01:13)

ab · 2018-01-31 17:10:21

Yes, the same server instance can provide REST services (and authentication) and MVC web content at the same time, but not with one login.
I think you will be stuck to the cookie authentication as used by MVC.

You could maintain a separated REST authentication at the same time, e.g. by intercepting the login page, and calling, via AJAX, the REST server to create a REST session.
Then any AJAX request will use the very same session signature.
Of course, it will require that the login/password for both MVC and REST do match!
Idea is that it could be transparent for the user, if all is done on client side, using some JavaScript code.

shobits1 · 2018-01-31 21:12:17

Thanks ab,

after thinking things over and for simplicity; I'll try to use cookie authentication, avoid REST services as much as I can and see where it leads me. this will help me know mORMot a little more and maybe know how to do the project in better approach.

EDIT:

BTW, if I have a procedure like this:

procedure TUserRightsApplication.Login(const LogonName, PlainPassword: RawUTF8);

is it ok,, to use the procedure for View and authenticate the user? instead of two separate procedure.

procedure TUserRightsApplication.Login; // generate the login view
function TUserRightsApplication.doLogin(const LogonName, PlainPassword: RawUTF8): TMVCAction; // called to authenticate the user

Last edited by shobits1 (2018-01-31 21:38:04)

mORMot Open Source

#1 2018-01-31 02:23:26

About user authentication

#2 2018-01-31 09:06:27

Re: About user authentication

#3 2018-01-31 13:52:47

Re: About user authentication

#4 2018-01-31 14:03:24

Re: About user authentication

#5 2018-01-31 17:00:02

Re: About user authentication

#6 2018-01-31 17:10:21

Re: About user authentication

#7 2018-01-31 21:12:17

Re: About user authentication

Board footer