kitura / kitura-credentialshttp Goto Github PK
View Code? Open in Web Editor NEWA plugin for the Kitura-Credentials framework that authenticates using HTTP Basic and Digest authentication
License: Apache License 2.0
A plugin for the Kitura-Credentials framework that authenticates using HTTP Basic and Digest authentication
License: Apache License 2.0
Hello,
I want add HTTP basic auth to my project but when I add CredentialsHTTP package I got error during building the package - http://prntscr.com/ihtfu7
Also I found it's a common issues:
Kitura/BlueCryptor#27
Kitura/BlueCryptor#29
With the same list of packages, but without CredentialsHTTP everything is built fine http://prntscr.com/ihthyi
Please help me with this issue.
Thanks in advance,
Oleksandr
In HTTP Basic Auth, although a username may not contain a colon, a password may. At this point, Kitura authentication fails when supplying a password containing a colon.
The lines in question seem to be here:
https://github.com/IBM-Swift/Kitura-CredentialsHTTP/blob/660c43cf11da63561e45dd14d805c34041bd73fa/Sources/CredentialsHTTP/CredentialsHTTPBasic.swift#L110-L117
The password is set to be the second item in the components (after separating by colons), but actually, the password should be all items after the first, joined by colons. So...
user:pass:with:some:colons
User is item 0. Pass is 1...4 joined by : characters, namely pass:with:some:colons.
I'm working on setting up HTTP Basic Auth and I think I may have found a nasty bug. When I go to the OpenAPI UI and access one of the protected routes, I get the username and password prompt as expected. When I enter an incorrect username and password, the prompt reappears so I can try again with different credentials (expected). The issue is that if I hit the cancel button on the prompt, the server returns a 401
HTTP Status code (expected), but also returns the data that they are not authorized to access (unexpected).
Here is how I setup the Basic Auth:
func initializeBasicAuth(app: App) {
let credentials = Credentials()
let basicCredentials = CredentialsHTTPBasic(verifyPassword: { username, password, callback in
UserAuth.authEntry(username: username, onCompletion: { (authMatches, error) in
if let entries = authMatches, let userAuth = entries.first {
// Check Password
let saltedPassword = "\(password)\(userAuth.salt)"
let hashedPassword = hashPassword(saltedPassword)
if hashedPassword == userAuth.hashedPassword {
let userProfile = UserProfile(id: userAuth.username,
displayName: username,
provider: "HTTPBasic")
callback(userProfile)
} else {
callback(nil)
}
} else {
callback(nil)
}
})
})
credentials.register(plugin: basicCredentials)
app.router.get("/entries", middleware: credentials)
app.router.put("/entries", middleware: credentials)
app.router.delete("/entries", middleware: credentials)
}
So if I use the OpenAPI UI to perform a GET request on the /entries
endpoint, I still get the JSON data back in the body of the response along with the 401 HTTP Status code in the headers.
What's the recommended way to authenticate for specific resources using HTTP Basic Auth?
For example, suppose I have an endpoint to POST a message for a certain conversation:
router.post("/messages") { (request, response, next) in
// Extract conversation UUID from request body...
let uuid = UUID_FROM_BODY
// Post the message for this conversation, etc...
// Respond to client
response.status(.accepted)
}
But only certain users are authorized to POST for certain conversations. A UserProfileLoader
allows me to check for the existence of a user and confirm their password, but how can I confirm that they have access to a specific resource? E.g. in the example above, I would need to pass the conversation UUID to a UserProfileLoader
function in addition to the userId
.
I stabled upon this issue when added CredentialsHTTP as dependency to my Kitura project. Basically solution to get this working is same as proposed on main Kitura project in Troubleshooting section
I think this should be added to README.md
Troubleshooting
Seeing error ld: library not found for -lCHttpParser for architecture x86_64 on build:
To solve this, go to your build settings and add $SRCROOT/.build/debug to the Library Search Paths for the CredentialsHTTP targets.
It doesn't compile
Hi master,
I hava a simple question about the login page.
Can I customize the login page and how?
example: the user name placeholder instead of email.
Thanks.
If the Authorisation Header is not correct the whole app is crashing. As this is a server add-on, it should fail silently and not crash.
So there should be a check on whether authorizationComponents array has at least 2 items, before accessing the items.
VerifyPassword is currently defined as follows (with a nonescaping closure for UserProfile):
public typealias VerifyPassword = (String, String, (UserProfile?)->Void) -> Void
However, when using e.g. Kuery for doing DB lookups to verify passwords from a database, DB query functions are escaping. This results in code like the following example:
let basicCredentials = CredentialsHTTPBasic( verifyPassword: { userID, password, callback in
let query = Select(users.email, users.password, from: users)
.where(users.email == userID)
connection.execute(query: query) { result in
if let rows = result.asRows {
if let truePassword = rows[0]["password"] as? String {
if truePassword == password {
callback(UserProfile(id: userID, displayName: userID, provider: "HTTPBasic-Kitura"))
return
}
}
callback(nil)
}
})
In this case the Swift Complier will generate an error:
Closure use of non-escaping parameter 'callback' may allow it to escape
Change VerifyPassword typealias to use an explicitly escaping closure:
public typealias VerifyPassword = (String, String, @escaping(UserProfile?)->Void) -> Void
E.g. update Package.swift
How do i resolve this issue?
thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.