Basic Authentication

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Basic Authentication

Marco Lazzaroni
Hello,
I have to implement some sort of authentication in my web server implementation.
My idea is to begin with Basic Authentication (RFC2617) and then proceed with JWT (Bearer Authentication with JSON web tokens, RFC7519), this because in my understanding Basic authentication requires a subset of changes of the ones required for JWT so I can check if the code is ok.

About Basic Authentication, I suppose that I have to do the following:
- when I get a HTTP request, I have to check in the headers if the "Authorization: Basic xxxxx" is present: if not, I have to send a HTTP 401 with "WWW-Authenticate: Basic realm..."
- if the "authorization: Basic header" is present, and the credentials are correct, I have to reply with a Http 200 and the rest of the page
- wrong user/pass: HTTP 403

What functions of httpd.c do I have to modify?
I suppose:
1) http_parse_request, in order to check if "authorization" header is there, and correct, and save this somewhere (in the struct http_ssi_state?)
2) http_find_file(): the fs_open() call must be done only if user and passwords are ok

Is that all?

Another question: is LWIP_HTTPD_FILE_STATE needed for Basic Authentication? And for Bearer Authentication? I think not.

Thanks in advance for your help! :-)
Cheers
Marco

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Marco Lazzaroni


Il giorno lun 20 apr 2020 alle ore 12:35 Marco Lazzaroni <[hidden email]> ha scritto:

About Basic Authentication, I suppose that I have to do the following:
- when I get a HTTP request, I have to check in the headers if the "Authorization: Basic xxxxx" is present: if not, I have to send a HTTP 401 with "WWW-Authenticate: Basic realm..."
- if the "authorization: Basic header" is present, and the credentials are correct, I have to reply with a Http 200 and the rest of the page
- wrong user/pass: HTTP 403
In case someone has the same need, i implemented basic authentication:
- fixed get_http_header (see https://savannah.nongnu.org/bugs/?58223 ) and added "if" for 401 
- added 401 "if" in http_find_error_file
- in http_parse_request():
        - if authorization header is missing, then return 401
        - if Authorization: Basic <credentials> are not ok (checked by external function), then return 401, else go on and send the web page

That's all, if someone will need some more detail I'll give it to them.
Cheers
 Marco


_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Ben Stuyts-3
Hi Marco,

Sounds good! I’m interested in this. Would it be possible for you to post a complete patch?

Thanks,
Ben


On 22 Apr 2020, at 15:25, Marco Lazzaroni <[hidden email]> wrote:



Il giorno lun 20 apr 2020 alle ore 12:35 Marco Lazzaroni <[hidden email]> ha scritto:

About Basic Authentication, I suppose that I have to do the following:
- when I get a HTTP request, I have to check in the headers if the "Authorization: Basic xxxxx" is present: if not, I have to send a HTTP 401 with "WWW-Authenticate: Basic realm..."
- if the "authorization: Basic header" is present, and the credentials are correct, I have to reply with a Http 200 and the rest of the page
- wrong user/pass: HTTP 403
In case someone has the same need, i implemented basic authentication:
- fixed get_http_header (see https://savannah.nongnu.org/bugs/?58223 ) and added "if" for 401 
- added 401 "if" in http_find_error_file
- in http_parse_request():
        - if authorization header is missing, then return 401
        - if Authorization: Basic <credentials> are not ok (checked by external function), then return 401, else go on and send the web page

That's all, if someone will need some more detail I'll give it to them.
Cheers
 Marco

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users


_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Marco Lazzaroni
Il giorno gio 23 apr 2020 alle ore 11:17 Ben Stuyts <[hidden email]> ha scritto:
Hi Marco,

Sounds good! I’m interested in this. Would it be possible for you to post a complete patch?

Sure I'll do it! Anyway I must say that it's not fully tested and I think it works only if you enable  LWIP_HTTPD_SUPPORT_EXTSTATUS. Instead, it should work also without enabling LWIP_HTTP_DYNAMIC_HEADERS like I did.

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Trampas Stern
So what I did is added support for cookies.  Basically in the http_parse_request() I created a callback that I call which passes header to the call back.  In the function I get the cookie for a session ID, and return a redirect if the current user is not logged in. 

When the user connects the callback checks the session ID cookie and the remote IP port for match, if they do not match current logged in person I redirect them to login page.  The login page assigns them a new random session id and lets them enter password.  If password matches then I store their session id and IP address as being logged in.  The reason for IP address is that when login screen is shown, if someone is logged it it will inform user they will kick off that person at IP address xx.xx.xx.xx.  Yes if connection is through a router/NAT then everyone will have same IP, but not my use case.  

This works well except for calls where I am just requesting JSON values. Here I had to change HTML/javascript  to know that the JSON failed due to being logged out and redirect them to login page. 

Trampas



On Thu, Apr 23, 2020 at 6:10 AM Marco Lazzaroni <[hidden email]> wrote:
Il giorno gio 23 apr 2020 alle ore 11:17 Ben Stuyts <[hidden email]> ha scritto:
Hi Marco,

Sounds good! I’m interested in this. Would it be possible for you to post a complete patch?

Sure I'll do it! Anyway I must say that it's not fully tested and I think it works only if you enable  LWIP_HTTPD_SUPPORT_EXTSTATUS. Instead, it should work also without enabling LWIP_HTTP_DYNAMIC_HEADERS like I did.
_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Marco Lazzaroni
In reply to this post by Marco Lazzaroni
Here's my patch.
It does not handle the case of having some pages in a protected area and some others not.
Also I'm doubt if the correct writing is HTTP/1.0 401 Unauthorized or HTTP/1.1 401 Unauthorized
(Don't know the difference between 1.0 and 1.1)

Il giorno gio 23 apr 2020 alle ore 12:10 Marco Lazzaroni <[hidden email]> ha scritto:
Il giorno gio 23 apr 2020 alle ore 11:17 Ben Stuyts <[hidden email]> ha scritto:
Hi Marco,

Sounds good! I’m interested in this. Would it be possible for you to post a complete patch?

Sure I'll do it! Anyway I must say that it's not fully tested and I think it works only if you enable  LWIP_HTTPD_SUPPORT_EXTSTATUS. Instead, it should work also without enabling LWIP_HTTP_DYNAMIC_HEADERS like I did.

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users

basic-auth.patch (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Marco Lazzaroni
In reply to this post by Trampas Stern
Il giorno gio 23 apr 2020 alle ore 14:12 Trampas Stern <[hidden email]> ha scritto:
So what I did is added support for cookies.  Basically in the http_parse_request() I created a callback that I call which passes header to the call back.  In the function I get the cookie for a session ID, and return a redirect if the current user is not logged in. 

When the user connects the callback checks the session ID cookie and the remote IP port for match, if they do not match current logged in person I redirect them to login page.  The login page assigns them a new random session id and lets them enter password.  If password matches then I store their session id and IP address as being logged in.  

What needs to be done on the html side? I mean, in some way the browser has to know that it has to send the cookie in the header, am I correct? But how?


_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Trampas Stern
The browser sends the cookie automatically. 

What I do is in the login.html is add the following:



On Thu, Apr 23, 2020 at 10:26 AM Marco Lazzaroni <[hidden email]> wrote:
Il giorno gio 23 apr 2020 alle ore 14:12 Trampas Stern <[hidden email]> ha scritto:
So what I did is added support for cookies.  Basically in the http_parse_request() I created a callback that I call which passes header to the call back.  In the function I get the cookie for a session ID, and return a redirect if the current user is not logged in. 

When the user connects the callback checks the session ID cookie and the remote IP port for match, if they do not match current logged in person I redirect them to login page.  The login page assigns them a new random session id and lets them enter password.  If password matches then I store their session id and IP address as being logged in.  

What needs to be done on the html side? I mean, in some way the browser has to know that it has to send the cookie in the header, am I correct? But how?

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Trampas Stern
document.cookie = "sessionToken=3"                        ;

This will set the sessionToken (session ID) to 3.  So in the firmware when the httpd.c requests this file I find this string and replace the buffer with the correct session ID number I want.  This then sets the cookie and browser will send this cookie with every request to device. 


Then in my call back I parse the HTML header for the session cookie, to see if it matches who is logged in. 

In the login what I do is have user type admin password, which I then send a MD5 hash with session ID.  If the MD5 hash matches I record IP and session ID for person logged in. 

Trampas 

On Thu, Apr 23, 2020 at 11:09 AM Trampas Stern <[hidden email]> wrote:
The browser sends the cookie automatically. 

What I do is in the login.html is add the following:



On Thu, Apr 23, 2020 at 10:26 AM Marco Lazzaroni <[hidden email]> wrote:
Il giorno gio 23 apr 2020 alle ore 14:12 Trampas Stern <[hidden email]> ha scritto:
So what I did is added support for cookies.  Basically in the http_parse_request() I created a callback that I call which passes header to the call back.  In the function I get the cookie for a session ID, and return a redirect if the current user is not logged in. 

When the user connects the callback checks the session ID cookie and the remote IP port for match, if they do not match current logged in person I redirect them to login page.  The login page assigns them a new random session id and lets them enter password.  If password matches then I store their session id and IP address as being logged in.  

What needs to be done on the html side? I mean, in some way the browser has to know that it has to send the cookie in the header, am I correct? But how?

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

lwip-users mailing list
In reply to this post by Marco Lazzaroni

Its better to use set-cookie header so cookies are controlled from server side rather than client side.

 

Regards,

Ajay Bhargav

 

 

From: [hidden email]
Sent: Thursday, April 23, 2020 8:43 PM
To: [hidden email]
Subject: Re: [lwip-users] Basic Authentication

 

document.cookie = "sessionToken=3"                        ;

 

This will set the sessionToken (session ID) to 3.  So in the firmware when the httpd.c requests this file I find this string and replace the buffer with the correct session ID number I want.  This then sets the cookie and browser will send this cookie with every request to device. 

 

 

Then in my call back I parse the HTML header for the session cookie, to see if it matches who is logged in. 

 

In the login what I do is have user type admin password, which I then send a MD5 hash with session ID.  If the MD5 hash matches I record IP and session ID for person logged in. 

 

Trampas 

 

On Thu, Apr 23, 2020 at 11:09 AM Trampas Stern <[hidden email]> wrote:

The browser sends the cookie automatically. 

 

What I do is in the login.html is add the following:

 

 

 

On Thu, Apr 23, 2020 at 10:26 AM Marco Lazzaroni <[hidden email]> wrote:

Il giorno gio 23 apr 2020 alle ore 14:12 Trampas Stern <[hidden email]> ha scritto:

So what I did is added support for cookies.  Basically in the http_parse_request() I created a callback that I call which passes header to the call back.  In the function I get the cookie for a session ID, and return a redirect if the current user is not logged in. 

 

When the user connects the callback checks the session ID cookie and the remote IP port for match, if they do not match current logged in person I redirect them to login page.  The login page assigns them a new random session id and lets them enter password.  If password matches then I store their session id and IP address as being logged in.  

 

What needs to be done on the html side? I mean, in some way the browser has to know that it has to send the cookie in the header, am I correct? But how?

 

_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users

 


_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

Re: Basic Authentication

Marco Lazzaroni
In reply to this post by Trampas Stern


Il giorno gio 23 apr 2020 alle ore 17:13 Trampas Stern <[hidden email]> ha scritto:
document.cookie = "sessionToken=3"                        ;

This will set the sessionToken (session ID) to 3.  So in the firmware when the httpd.c requests this file I find this string and replace the buffer with the correct session ID number I want.  This then sets the cookie and browser will send this cookie with every request to device. 


Then in my call back I parse the HTML header for the session cookie, to see if it matches who is logged in. 

In the login what I do is have user type admin password, which I then send a MD5 hash with session ID.  If the MD5 hash matches I record IP and session ID for person logged in. 

Trampas 

Thank you for your explanation! 


_______________________________________________
lwip-users mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-users