WEB authentication using MORMOT

claudneysessa · 2023-03-28 23:40:46

Hello, I'm trying to do a WEB authentication on a server created with MORMOT, and I'm having difficulties

I make a request

http://localhost:6666/root/Auth?UserName=SUPERVISOR

it returns me a code

{
"result": "0640eb9fbf61b4e47650154f0cfd088096e0544d7875e3d3d2835a89cb563102"
}

right after i make a second request

http://localhost:6666/root/Auth?UserName=SUPERVISOR&PassWord=123&ClientNonce=0640eb9fbf61b4e47650154f0cfd088096e0544d7875e3d3d2835a89cb563102

And I have the return

{
"result": "1065542664+693AB24B2FE8F63B45963FB89A030CE4B188D8E1FB296DDB93B9B334EA0F446B",
"loginid": -1,
"logonname": "SUPERVISOR",
"logondisplay": "SUPERVISOR",
"logongroup": 3,
"timeout": 60,
"server": "SPAMME_V07001_R001",
"version": "7.1.1.4"
}

Now I need to consume a test call
http://localhost:6666/root/Hello?session_signature=

and it asks me for this "session_signature", how is this value generated?

I already tried with the return of the previous call "1065542664+693AB24B2FE8F63B45963FB89A030CE4B188D8E1FB296DDB93B9B334EA0F446B" but it returns an error

{
"errorCode": 403,
"errorText": "Authentication Failed: Invalid signature (0)"
}

ab · 2023-03-29 06:50:55

Authentication is fully documented with https://synopse.info/files/html/Synopse … ml#TITL_43

And the signature is at https://synopse.info/files/html/Synopse … ml#TITL_98

You have sample web code in the forum e.g. in https://synopse.info/forum/viewtopic.php?pid=2995#p2995 and following posts.

claudneysessa · 2023-03-29 16:21:38

So my friend, I know I already looked at this documentation I've been trying for a few days and still haven't succeeded....
I've done this 1000x different ways but it doesn't give me a valid session_signature...
The last part for me was not clear...
"The URI signature, using the session private key, the user hashed password, and the supplied Client Time Stamp as source for its crc32 hashing algorithm."
I even found an example in java within the Mormot sources, could you make these steps a little clearer in the last part of the 3-factor code there?

I know that your time must be very busy, that you have to study, you have to research more I really am having a great difficulty in this part if you can at least give me a little help there to better understand the last part I thank you!

Just tell me where I'm going wrong and I'll do the rest

- - - - - - - - - - -
My Case
- - - - - - - - - - -

Urlbase: http://localhost:6666/
FuntionUrl: http://localhost:6666/root/Hello?session_signature=
UserName: SUPERVISOR
Passwrod: DBM

- - - - - - - - - - -
Step 1
- - - - - - - - - - -

Url Request 1:

http://localhost:6666/root/Auth?UserName=SUPERVISOR

clientNonce: 4a978da94aed4402310ce044f42d141fc9d79ea74fe5c067b5958a8fee7c1a3c

- - - - - - - - - - -
Step 2
- - - - - - - - - - -

Url Request 2: http://localhost:6666/root/Auth?UserName=SUPERVISOR&PassWord=DBM&ClientNonce=3f7b950a5f81731a0973fe12c8e48bf9c63c920b37cc585414cc4587bdf7aa12

sessionAuthentication:

{
"result": "541010933+8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C",
"logonid": -1,
"logonname": "SUPERVISOR",
"logondisplay": "SUPERVISOR",
"logongroup": 3,
"timeout": 60,
"server": "SPAMME_V07001_R001",
"version": "7.1.1.4"
}

// SessionKey = value of ["result"] on sessionAuthentication

sessionKey: 541010933+8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C

// sessionId = Copy of Digits on sessionKey before "+"

sessionId: 541010933

// privateKey = Copy of Digits on sessionKey after "+"

privateKey: 8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C

// sessionIdHexa8 = Hexa of sessionId Pad Left (8,0)

sessionIdHexa8: 203f2bf5

// passwordHexa = SHA256 of PassWord

passwordHexa: 588b7c1c3ddda23b3e89b452e767139d68432cdc5581b3dd360901e12efe2201

// sessionPrivateKey
// long r = CRC32.calculate(sessionKey, 0);
// sessionPrivateKey = CRC32.calculate(passwordHexa, r);

sessionPrivateKey: 725205751

- - - - - - - - - - -
Step 3
- - - - - - - - - - -

Date to Generate Nonce: 2023-03-29 15:52:34.600516
dateToTimeStamp256: 6562952
nonce (dateToTimeStamp256 em Hexa): 00642488
signature: 2896200956
signatureHexa: aca084fc

Right now my biggest question is:

When generating CRC32, what do I use as a url?

I use the value [ http://localhost:6666/root/Hello ] ?
I use the value [ root/Hello ] ?
I use the value [ http://localhost:6666/root/Hello? ] ?
I use the value [ root/Hello? ] ?

sessionSignature: 203f2bf500642488aca084fc
sessionSignaturePrint: 203f2bf5-00642488-aca084fc

- - -

Url Request 3 :

http://localhost:6666/root/Hello?session_signature=203f2be900642479ba5015c6

{errorCode: 403, errorText: Authentication Failed: Invalid signature (0)}

I'm asking for help because I've tried everything exactly as stated in the manual, in the doc on the forums... And I can't find the problem

Last edited by claudneysessa (2023-03-29 19:25:00)

tbo · 2023-03-29 19:24:06

claudneysessa wrote:

I'm asking for help because I've tried everything exactly as stated in the manual, in the doc on the forums... And I can't find the problem

First of all, you didn't write which programming language you are working with.

It could be that the source code for JS authentication you find in the forum is no longer up to date. In any case, you have to read the documentation. If you don't understand the process from the description, write a simple Delphi example for server and client, or take an existing example and follow the process in the debugger. It is helpful at the beginning if you first switch off the timestamp check on the server. You do this like this:

(AuthenticationRegister(TRestServerAuthenticationDefault) as TRestServerAuthenticationSignedUri).NoTimestampCoherencyCheck := True;

With best regards
Thomas

Last edited by tbo (2023-03-29 21:01:43)

claudneysessa · 2023-03-30 15:36:01

Look, to be honest I expected a little more from a support FORUM for such a cool tool.

If I demonstrated the step by step and with examples of what I generated there in my POST it means that I read the manual and implemented it but I am having difficulties. Common thing because MORMOT is a very complex tool and with many details.

Well, I can't count on SUPPORT I'll follow and try to solve it my way, but here's my frustration because the manual talks very vaguely about the subject, some may have this power of abstraction to solve others, they don't.

A little empathy is lacking in wanting to help others.

Without further ado and thank you for your attention.

Last edited by claudneysessa (2023-03-30 15:40:41)

tbo · 2023-03-30 16:13:55

claudneysessa wrote:

A little empathy is lacking in wanting to help others.

If you want help, you should allow it. A good start would be to answer my first question. The following start, for example, would be helpful:

Server: Delphi 11.3, mORMot2 GitHub commit 5186
My web application is a PWA. I would like to implement the authentication with JavaScript.

If someone has something suitable, they will help you. It has worked for thousands of others.

If no one has an answer, then follow my second recommendation. Look at the respective implementation in the units mormot.rest.server and mormot.rest.client. In the unit mormot.rest.client you will find the class TRestClientAuthenticationDefault. Set a breakpoint in the relevant functions (ClientComputeSessionKey etc.) and follow the further steps.

With best regards
Thomas

radexpol · 2023-03-31 08:02:09

claudneysessa wrote:

Look, to be honest I expected a little more from a support FORUM for such a cool tool.
If I demonstrated the step by step and with examples of what I generated there in my POST it means that I read the manual and implemented it but I am having difficulties. Common thing because MORMOT is a very complex tool and with many details.
Well, I can't count on SUPPORT I'll follow and try to solve it my way, but here's my frustration because the manual talks very vaguely about the subject, some may have this power of abstraction to solve others, they don't.
A little empathy is lacking in wanting to help others.
Without further ado and thank you for your attention.

I know what you're feeling, I had the same problem on this forum and couldn't find the solution that stopped my progress. Everyone suggest me the holy documentation that I don't understand and it does not show the real solutions. I hate documentation, a lot of simple samples is enough in many other projects such as DevExpress, DMVC and many many more. Does someone read DevExpress documentation to start making cool apps ?? No visual components, no real support, very slow responses, hard developing for every stupid projects, no simple swagger integration... Finally I moved to DMVC and made the same project in 1 month comparing to almost 1 year in mORmot framework, I also actively joined their community - EventSource implementation.

mpv · 2023-03-31 09:06:11

@radexpol - it's not correct to compare commercial and open source projects. IMHO @ab provides the best support I have ever seen in the open source world. Thousands of questions have been answered in this forum (for free)
@claudneysessa - there is already a link to JavaScript auth example in this answer

tbo · 2023-03-31 14:50:47

radexpol wrote:

I know what you're feeling, I had the same problem on this forum and couldn't find the solution that stopped my progress. Everyone suggest me the holy documentation that I don't understand and it does not show the real solutions. I hate documentation, a lot of simple samples is enough in many other projects such as DevExpress, DMVC and many many more. Does someone read DevExpress documentation to start making cool apps ?? No visual components, no real support, very slow responses, hard developing for every stupid projects, no simple swagger integration.

When I look at your profile, you've only asked questions here, never really helped others, and yet you've always been answered. When I read your comment, I think: Find the mistake!

claudneysessa · 2023-04-03 14:52:37

good morning,

I apologize, I don't think I expressed myself correctly, but it's a little annoying to spend hours reading a manual, follow all the steps without leaving any out, have a question, ask and receive a response of "Read the documentation" , that is, I just read it, implemented it and it didn't work maybe something is missing in the documentation to help...

I'm testing on:
- Java
- Using Http Client
- dart
- Using Http Client
- Delphi (pascal object)
- Using RESTClient

I think this is transparent because if I'm using standard HTTP requests this should work the same regardless of the language I'm working with...

I'm having problems with the session_signature... I even tried to implement something with helpers to see if it would solve it.

That's why I made the previous post with all the data I generated to see if I'm doing something wrong, apparently all coding is correct... but in a piece of code it gives an error

In this place:

function TSQLRestServerAuthenticationSignedURI.RetrieveSession(
   Ctxt: TSQLRestServerURIContext): TAuthSession;
var aTimestamp, aSignature, aMinimalTimestamp, aExpectedSignature: cardinal;
     PTimestamp: PAnsiChar;
     aURLlength: Integer;
begin
   result := inherited RetrieveSession(Ctxt);
   if result=nil then
     exit; // no valid session ID in session_signature
   if Ctxt.URISessionSignaturePos+(18+8+8+8)>length(Ctxt.Call^.url) then begin
     result := nil;
     exit;
   end;
   aURLlength := Ctxt.URISessionSignaturePos-1;
   PTimestamp := @Ctxt.Call^.url[aURLLength+(20+8)]; // points to Hexa8(Timestamp)
   aMinimalTimestamp := result.fLastTimestamp-fTimestampCoherencyTicks;
   if HexDisplayToCardinal(PTimestamp,aTimestamp) and
      (fNoTimestampCoherencyCheck or (integer(aMinimalTimestamp)<0) or // <0 just after login
       (aTimestamp>=aMinimalTimestamp)) then begin
     aExpectedSignature := fComputeSignature(result.fPrivateSaltHash,PTimestamp,
       pointer(Ctxt.Call^.url),aURLlength); <<<<<< ============================ !!! HERE !!!
     if HexDisplayToCardinal(PTimestamp+8,aSignature) and
        (aSignature=aExpectedSignature) then begin <<<<<< ====================== !!! HERE !!!
       if aTimestamp>result.fLastTimestamp then
         result.fLastTimestamp := aTimestamp;
       exit;
     end else begin
       {$ifdef WITHLOG}
       Ctxt.Log.Log(sllUserAuth,'Invalid Signature: expected %, got %',
         [Int64(aExpectedSignature),Int64(aSignature)],self);
       {$endif}
     end;
   end else begin
     {$ifdef WITHLOG}
     Ctxt.Log.Log(sllUserAuth,'Invalid Timestamp: expected >=%, got %',
       [aMinimalTimestamp,Int64(aTimestamp)],self);
     {$endif}
   end;
   result := nil; // indicates invalid signature
end;

I already tested several libraries to generate the hash and the CRC32, apparently they are being generated correctly but it always hangs in this piece of code that I informed.

I am not managing to evolve because apparently I followed without fail what is written in the documentation but the authentication is always rejected...

.
.
.

In this example it is not clear how I do this validation because I don't know for sure how the Timestamp thing works, I identified that there is a url on the server that gives me a timestamp but even with it I can't get a result that works

In order to enhance security, the session_signature parameter will contain, encoded as 3 hexadecimal 32-bit cardinals:

The Session ID (to retrieve the private key used for the signature);
A Client Time Stamp (in 256 ms resolution) which must be greater or equal than the previous time stamp received;
The URI signature, using the session private key, the user hashed password, and the supplied Client Time Stamp as source for its crc32 hashing algorithm.
Such a classical 3 points signature will avoid most man-in-the-middle (MITM) or re-play attacks.

Here is typical signature to access the root URL

root?session_signature=0000004C000F6BE365D8D454
In this case, 0000004C is the Session ID, 000F6BE3 is the client time stamp (aka nonce), and 65D8D454 is the signature, computed by the following Delphi expression:

(crc32(crc32(fPrivateSaltHash,PTimestamp,8),pointer(aURL),aURLlength)=aSignature);
For instance, a RESTful GET of the TSQLRecordPeople table with RowID=6 will have the following URI:

root/People/6?session_signature=0000004C000F6DD02E24541C

Last edited by claudneysessa (2023-04-03 14:58:51)

claudneysessa · 2023-04-04 12:26:35

Unfortunately after a lot of struggle I couldn't make it work using the MORMOT authentication method, I ended up overwriting some classes with helpers and I managed to speed up my life here but I was sad because I wanted to use it in the standard way but I don't have much time to do it.

Some points that could improve in the documentation:

Explain better how to compose that 3-valued key.
Being able to pass the session_signature through the header.
Being able to choose the name of the authentication TAG.

About the encoded key as 3 hexadecimal 32-bit cardinals this is Very confusing and little explained, for those who consume in delphi it is a wonder, but thinking about the API it is very difficult to reach a satisfactory result

And, in relation to being able to change the name of the authentication parameter, it would be nice to be able to use, for example, authentication instead of session_signature and be able to pass it through the header today MORMOT is stuck with this being informed in the URL.

mORMot Open Source

#1 2023-03-28 23:40:46

WEB authentication using MORMOT

#2 2023-03-29 06:50:55

Re: WEB authentication using MORMOT

#3 2023-03-29 16:21:38

Re: WEB authentication using MORMOT

#4 2023-03-29 19:24:06

Re: WEB authentication using MORMOT

#5 2023-03-30 15:36:01

Re: WEB authentication using MORMOT

#6 2023-03-30 16:13:55

Re: WEB authentication using MORMOT

#7 2023-03-31 08:02:09

Re: WEB authentication using MORMOT

#8 2023-03-31 09:06:11

Re: WEB authentication using MORMOT

#9 2023-03-31 14:50:47

Re: WEB authentication using MORMOT

#10 2023-04-03 14:52:37

Re: WEB authentication using MORMOT

#11 2023-04-04 12:26:35

Re: WEB authentication using MORMOT

Board footer