kitura / kitura-credentialshttp Goto Github PK

View Code? Open in Web Editor NEW

15.0 21.0 12.0 719 KB

A plugin for the Kitura-Credentials framework that authenticates using HTTP Basic and Digest authentication

License: Apache License 2.0

Swift 100.00%

kitura-credentialshttp's Introduction

Kitura-CredentialsHTTP

A plugin for the Kitura-Credentials framework that authenticates using HTTP Basic and Digest authentication.

Summary

A plugin for Kitura-Credentials framework that authenticates using HTTP Basic and Digest authentication.

Our implementation of Digest authentication doesn't remember nonce values it generated, and doesn't check received request's nonce and nc. It uses MD5 algorithm, and the quality of protection (qop) is 'auth'.

Swift version

The latest version of Kitura-CredentialsHTTP requires Swift 4.0 or later. You can download this version of the Swift binaries by following this link. Compatibility with other Swift versions is not guaranteed.

Usage

Add dependencies

Add the Kitura-CredentialsHTTP package to the dependencies within your application’s Package.swift file. Substitute "x.x.x" with the latest Kitura-CredentialsHTTP release.

.package(url: "https://github.com/Kitura/Kitura-CredentialsHTTP.git", from: "x.x.x")

Add CredentialsHTTP to your target's dependencies:

.target(name: "example", dependencies: ["CredentialsHTTP"]),

Import packages

import CredentialsHTTP

Basic authentication

To create an instance of CredentialsHTTPBasic plugin, a VerifyPassword function and an optional realm should be passed to the constructor:

public init (verifyPassword: @escaping VerifyPassword, realm: String?=nil)

verifyPassword is a function of type:

/// Type alias for the callback that verifies the userId and password.
/// If the authentication pair verifies, then a user profile is returned.
public typealias VerifyPassword = (userId: String, password: String, callback: @escaping (UserProfile?) -> Void) -> Void

Digest authentication

CredentialsHTTPDigest initialization is similar to CredentialsHTTPBasic. In addition, an optional opaque value can be passed to the constructor.

Example

Codable routing

First create a struct or final class that conforms to TypeSafeHTTPBasic, adding any instance variables, which you will initialise in verifyPassword:

import CredentialsHTTP

public struct MyBasicAuth: TypeSafeHTTPBasic {

    public let id: String

    static let users = ["John" : "12345", "Mary" : "qwerasdf"]

    public static func verifyPassword(username: String, password: String, callback: @escaping (MyBasicAuth?) -> Void) {
        if let storedPassword = users[username], storedPassword == password {
            callback(MyBasicAuth(id: username))
        } else {
            callback(nil)
        }
    }
}

Add authentication to routes by adding your TypeSafeHTTPBasic object, as a TypeSafeMiddleware, to your codable routes:

router.get("/protected") { (userProfile: MyBasicAuth, respondWith: (MyBasicAuth?, RequestError?) -> Void) in
   print("authenticated \(userProfile.id) using \(userProfile.provider)")
   respondWith(userProfile, nil)
}

Raw routing

This example shows how to use this plugin to authenticate requests with HTTP Basic authentication. HTTP Digest authentication is similar.

First create an instance of Credentials and an instance of CredentialsHTTPBasic plugin, supplying a verifyPassword function:

import Credentials
import CredentialsHTTP

let credentials = Credentials()
let users = ["John" : "12345", "Mary" : "qwerasdf"]
let basicCredentials = CredentialsHTTPBasic(verifyPassword: { userId, password, callback in
    if let storedPassword = users[userId], storedPassword == password {
        callback(UserProfile(id: userId, displayName: userId, provider: "HTTPBasic"))
    } else {
        callback(nil)
    }
})

Now register the plugin:

credentials.register(plugin: basicCredentials)

Connect credentials middleware to profile requests:

router.all("/profile", middleware: credentials)

If the authentication is successful, request.userProfile will contain user profile information:

router.get("/profile", handler:
    { request, response, next in
      ...
      let profile = request.userProfile
      let userId = profile.id
      let userName = profile.displayName
      ...
      next()
})

Troubleshooting

Seeing error ld: library not found for -lCHttpParser for architecture x86_64 on build?

To solve this, go to your Xcode build settings and add $SRCROOT/.build/debug to the Library Search Paths for the CredentialsHTTP targets.

License

This library is licensed under Apache 2.0. Full license text is available in LICENSE.

kitura-credentialshttp's People

Contributors

Stargazers

Watchers

Forkers

gtaban bdhernand jarrodparkes gmosx mman seabaylea momentabv kiturakommunity dannys42-contrib isabella232 bobbyski jefferyq7

kitura-credentialshttp's Issues

Issue with linking of CommonCrypto

Hello,
I want add HTTP basic auth to my project but when I add CredentialsHTTP package I got error during building the package - http://prntscr.com/ihtfu7

Also I found it's a common issues:
Kitura/BlueCryptor#27
Kitura/BlueCryptor#29

With the same list of packages, but without CredentialsHTTP everything is built fine http://prntscr.com/ihthyi
Please help me with this issue.

Thanks in advance,
Oleksandr

fatal error CredentialsHTTPBasic.swift:96 on wrong headers

If the Authorisation Header is not correct the whole app is crashing. As this is a server add-on, it should fail silently and not crash.

So there should be a check on whether authorizationComponents array has at least 2 items, before accessing the items.

VerifyPassword should use an escaping closure

Issue descriptioon

VerifyPassword is currently defined as follows (with a nonescaping closure for UserProfile):
public typealias VerifyPassword = (String, String, (UserProfile?)->Void) -> Void

However, when using e.g. Kuery for doing DB lookups to verify passwords from a database, DB query functions are escaping. This results in code like the following example:

let basicCredentials = CredentialsHTTPBasic( verifyPassword: { userID, password, callback in
    let query = Select(users.email, users.password, from: users)
        .where(users.email == userID)

    connection.execute(query: query) { result in
        if let rows = result.asRows {
            if let truePassword = rows[0]["password"] as? String {
                if truePassword == password {
                    callback(UserProfile(id: userID, displayName: userID, provider: "HTTPBasic-Kitura"))
                    return
                }
            }
        callback(nil)
    }
})

In this case the Swift Complier will generate an error:

Closure use of non-escaping parameter 'callback' may allow it to escape

Suggested fix

Change VerifyPassword typealias to use an explicitly escaping closure:

public typealias VerifyPassword = (String, String, @escaping(UserProfile?)->Void) -> Void

ld: library not found for -lCHttpParser for architecture x86_64

I stabled upon this issue when added CredentialsHTTP as dependency to my Kitura project. Basically solution to get this working is same as proposed on main Kitura project in Troubleshooting section
I think this should be added to README.md

Troubleshooting
Seeing error ld: library not found for -lCHttpParser for architecture x86_64 on build:

To solve this, go to your build settings and add $SRCROOT/.build/debug to the Library Search Paths for the CredentialsHTTP targets.

Incorrect handling of password containing colon in HTTP Basic Authentication.

In HTTP Basic Auth, although a username may not contain a colon, a password may. At this point, Kitura authentication fails when supplying a password containing a colon.

The lines in question seem to be here:
https://github.com/IBM-Swift/Kitura-CredentialsHTTP/blob/660c43cf11da63561e45dd14d805c34041bd73fa/Sources/CredentialsHTTP/CredentialsHTTPBasic.swift#L110-L117

The password is set to be the second item in the components (after separating by colons), but actually, the password should be all items after the first, joined by colons. So...

user:pass:with:some:colons

User is item 0. Pass is 1...4 joined by : characters, namely pass:with:some:colons.

Can I custom the login page?

Hi master,
I hava a simple question about the login page.
Can I customize the login page and how?
example: the user name placeholder instead of email.
Thanks.

Update for Swift 4

E.g. update Package.swift

issue: The manifest file at https://github.com/IBM-Swift/CommonCrypto.git (0.1.3) is empty

How do i resolve this issue?
thanks

Authenticating specific resources?

What's the recommended way to authenticate for specific resources using HTTP Basic Auth?

For example, suppose I have an endpoint to POST a message for a certain conversation:

router.post("/messages") { (request, response, next) in
    // Extract conversation UUID from request body...
    let uuid = UUID_FROM_BODY
    // Post the message for this conversation, etc...
    // Respond to client
    response.status(.accepted) 
}

But only certain users are authorized to POST for certain conversations. A UserProfileLoader allows me to check for the existence of a user and confirm their password, but how can I confirm that they have access to a specific resource? E.g. in the example above, I would need to pass the conversation UUID to a UserProfileLoader function in addition to the userId.

The example in the README file is not updated

It doesn't compile

HTTP Basic Auth is providing unauthorized access to protected resources.

I'm working on setting up HTTP Basic Auth and I think I may have found a nasty bug. When I go to the OpenAPI UI and access one of the protected routes, I get the username and password prompt as expected. When I enter an incorrect username and password, the prompt reappears so I can try again with different credentials (expected). The issue is that if I hit the cancel button on the prompt, the server returns a 401 HTTP Status code (expected), but also returns the data that they are not authorized to access (unexpected).

Here is how I setup the Basic Auth:

func initializeBasicAuth(app: App) {
    let credentials = Credentials()
    
    let basicCredentials = CredentialsHTTPBasic(verifyPassword: { username, password, callback in
        UserAuth.authEntry(username: username, onCompletion: { (authMatches, error) in
            if let entries = authMatches, let userAuth = entries.first {
                
                // Check Password
                let saltedPassword = "\(password)\(userAuth.salt)"
                let hashedPassword = hashPassword(saltedPassword)
                
                if hashedPassword == userAuth.hashedPassword {
                    let userProfile = UserProfile(id: userAuth.username,
                                                  displayName: username,
                                                  provider: "HTTPBasic")
                    callback(userProfile)
                } else {
                    callback(nil)
                }
            } else {
                callback(nil)
            }
        })
    })
    
    credentials.register(plugin: basicCredentials)
    app.router.get("/entries", middleware: credentials)
    app.router.put("/entries", middleware: credentials)
    app.router.delete("/entries", middleware: credentials)
}

So if I use the OpenAPI UI to perform a GET request on the /entries endpoint, I still get the JSON data back in the body of the response along with the 401 HTTP Status code in the headers.