mORMot secure RESTful authentication

mhmda · 2022-04-01 19:35:01

Hello mormots:

Can I test the authentication from Browser/Postman? If yes how I calc the Sha256 (using online tool?)

I tried the example 14 from the browser:
http://localhost:8888/root/Auth?UserName=User

Result:
{"result":"00cc540c5f75a80f0a397efa7d8c7780d5e30c3bcb8d5bfb617af11caa71529f"}

------------------------------------
Next (as the document says):
------------------------------------
- Client sends a GET ModelRoot/auth?UserName=...&PassWord=...&ClientNonce=... request to the remote server, in which ClientNonce is a random value used as Client nonce, and PassWord is
computed from the log-on and password entered by the User, using both Server and Client nonce as salt;

--> I need more explanation here because I searched the forum and found this:

where xxxxxxxxxxxxxxx = sha256hash( 'root' + servernonce + clientnonce+ clientname + passwordhashhexa )
and passwordhashexa = sha256hash( "salt" + password )
Where "salt" is actually the word: salt

Is that right?

Last edited by mhmda (2022-04-01 21:12:13)

ab · 2022-04-02 07:17:22

Use the source, Luke !

(I am AFK at that moment)

mhmda · 2022-04-02 07:53:41

I need to understand that scheme in order to give my clients clean instructions on how to connect to the REST server.

I don't know which language they will use: Python, Java, JS, Delphi, C++...

I just follow the documentation:

https://blog.synopse.info/?post/2013/06 … horization

The first step is clean and understood.

The second step where the client needs to generate a random nonce (length >=32) it's not clear, because in some posts in this forum I see different explanations than the instruction from the link above:

- Client sends a GET ModelRoot/auth?UserName=...&PassWord=...&ClientNonce=...

1. Username= User (default)

2. ClientNonce= random (length>=32)

3. PassWord= computed from the log-on and password entered by the User... (what do you mean computed from the log-on ??)

I don't know how exactly to calculate the password :-)

Last edited by mhmda (2022-04-02 08:04:01)

ab · 2022-04-02 08:06:03

The documentation is at https://synopse.info/files/html/Synopse … ml#TITL_98

mhmda · 2022-04-02 08:53:01

Hi AB,

I already read that but still not clear how can I calc the PassWord in the second call, I want to simulate that using browser or Postman in order to be clear to me.

I tried this from project14:

SHA256('root'+{model root}
'be092c9049c07d3a73381f7dc1c8cee65d55b1330867ea1d219a8a7b46f9a016'+{server nonce from 1st call}
'fe69ac7d604148b7935ac58213b6323f'+{client nonce random 32 GUID}
'User'+{username}
SHA256('salt'+'synopse'){'salt'+password});

The result always is something like this:

{"result":"2e195bbd72b09b4de054ee2ceaa0862b1241bc9456bea40084cc5f8113a5d044"}

And NOT:

{"result":"1217222202+DC28B0E7941311C870624AB83E4BC7ECD5E462940A8F218F78CDDD567ED4B396","logonid":3,"logonname":"User","logondisplay":"User","logongroup":3,"server":"Project14ServerExternal","version":"0.0.0.0"}

Am I missing something?! I'll appreciate any help :-)

Last edited by mhmda (2022-04-02 09:41:46)

mhmda · 2022-04-02 11:24:51

NP. I got it work so far:

{"result":"288765500+46CDD1D8F9F632615E77F8E70B6A4A9F9065A6C34E4DEB78C4CB252F8DBCDEAC","logonid":3,"logonname":"User","logondisplay":"User","logongroup":3,"timeout":60,"server":"Project14ServerHttp","version":""}

Last edited by mhmda (2022-04-02 18:23:51)

mORMot Open Source

#1 2022-04-01 19:35:01

mORMot secure RESTful authentication

#2 2022-04-02 07:17:22

Re: mORMot secure RESTful authentication

#3 2022-04-02 07:53:41

Re: mORMot secure RESTful authentication

#4 2022-04-02 08:06:03

Re: mORMot secure RESTful authentication

#5 2022-04-02 08:53:01

Re: mORMot secure RESTful authentication

#6 2022-04-02 11:24:51

Re: mORMot secure RESTful authentication

Board footer