#1 2022-10-03 14:06:18

tbo
Member
Registered: 2015-04-20
Posts: 353

Problem with TRestServerAuthenticationHttpBasic

I don't understand the implementation of TRestServerAuthenticationHttpBasic. This authentication is to be used with JavaScript (TMS WebCore). I call the Auth() function and submit my request. After successful execution I set the cookie in the HTML document with:

document.cookie := TJSString(Format('%s=%s;', [REST_COOKIE_SESSION, FSessionIDHex8]));

From now on, the cookie will be sent to the server with every call. The problem begins in the TRestServerAuthenticationHttpBasic.RetrieveSession() function. I successfully get the session, but the rest of the process is beyond me. Already the following comparison with fExpectedHttpAuthentication is not supported in the mORMot client implementation.

Can someone briefly outline the process and how this header is injected to the server for standard requests (img etc)?

With best regards
Thomas

Offline

#2 2022-10-03 15:26:54

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Problem with TRestServerAuthenticationHttpBasic

The cookie is indeed used to identify the session via its hexadecimal identifier.

Look how TRestClientAuthenticationHttpAbstract is implemented in mormot.rest.client.

Offline

#3 2022-10-03 19:41:09

tbo
Member
Registered: 2015-04-20
Posts: 353

Re: Problem with TRestServerAuthenticationHttpBasic

ab wrote:

The cookie is indeed used to identify the session via its hexadecimal identifier.

Yes I know. But function RetrieveSession() requires more than just the cookie set.

TRestServerAuthenticationHttpBasic.RetrieveSession()
...
  result := inherited RetrieveSession(Ctxt); // retrieve cookie
  if result = nil then
    // not a valid 'Cookie: mORMot_session_signature=...' header
    exit;
  if (result.fExpectedHttpAuthentication <> '') and
     (result.fExpectedHttpAuthentication = Ctxt.InHeader['Authorization']) then
    // already previously authenticated for this session
    exit;
  if GetUserPassFromInHead(Ctxt, usrpwd, usr, pwd) then
    if usr = result.User.LogonName then
      with Ctxt.Server.AuthUserClass.Create do
      try
        PasswordPlain := pwd; // compute SHA-256 hash of the supplied password
        if PasswordHashHexa = result.User.PasswordHashHexa then
        begin
          // match -> store header in result (locked by fSessions.Safe)
          result.fExpectedHttpAuthentication := usrpwd;
          exit;

I get session with help of the cookie. But the further process causes problems.

  1. When I request an image (HTML), the cookie is transferred from the client to the server, but I cannot send the additional header that is necessary.

  2. Also ExpectedHttpAuthentication can never be True. ExpectedHttpAuthentication is composed of "user:pass". But on client in function ComputeAuthenticateHeader() the segment is built as follows:

    TRestClientAuthenticationHttpBasic.ComputeAuthenticateHeader()
    ...
      result := 'Authorization: Basic ' + BinToBase64(aUserName + ':' + aPasswordClear);

For my next articles, I implemented authentication using TMS WebCore. None and Default were easy to implement. But for mORMot HttpBasic I read through various documents and get nowhere.

With best regards
Thomas

Last edited by tbo (2022-10-03 19:44:49)

Offline

#4 2022-10-04 07:41:09

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Problem with TRestServerAuthenticationHttpBasic

From what I observe, TRestServerAuthenticationHttpBasic.GetUserPassFromInHead() returns userPass as BinToBase64() on client side.

Offline

#5 2022-10-05 15:56:07

rdevine
Member
Registered: 2014-02-20
Posts: 52

Re: Problem with TRestServerAuthenticationHttpBasic

Hi Thomas - I've created mORMot 2 WebCore units that I'm planning to stick on GitHub in the near future. I haven't created any tests yet which is why I haven't put them up but they seem to work (for interface/method services only - I stripped the ORM functionality out for the first version). I can send you what I've got in the meantime in case it's useful - I'm on gmail.com. Username is rlsdevine.

Cheers, Bob

Offline

#6 2022-10-05 21:12:10

tbo
Member
Registered: 2015-04-20
Posts: 353

Re: Problem with TRestServerAuthenticationHttpBasic

rdevine wrote:

I've created mORMot 2 WebCore units that I'm planning to stick on GitHub in the near future.

Thank you very much for your offer. I only need the different authentications and their implementation with TMS WebCore for the next article in my mORMot series. For this article I have written a simple Miletus application and a method-based server. I've been experimenting with TMS WebCore for some time now, but I haven't used it productively yet. Currently I use mORMot MVCApplication with the CSS frameworks Bootstrap or Bulma and JavaScript.

A direct connection to WebCore would be really great. This integration opens up new possibilities. If you uploaded it to GitHub, I'd be happy to take a look. Due to the problems with HttpBasic and the exceeding of my time budget I have to put TMS WebCore aside for a while. But I am curious how you solved the integration and will come back to it when I have more time.

With best regards
Thomas

Offline

Board footer

Powered by FluxBB