I'm trying to implement token-based authorization for an Asp.Net MVC2 app, and I think my approach is wrong. First off: by token-based authorization I mean that when an unauthenticated user goes to http://myapp.com/some/action?tok=[special single-use token here] they are logged in.
All of the controllers in my app extend a common ApplicationController, so my approach was to override OnAuthorize on that controller as follows:
class ApplicationController
{
protected override void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.QueryString["tok"] != null)
{
var token = HttpUtility.UrlDecode(filterContext.HttpContext.Request.QueryString["tok"]);
if ((var user = getUserByToken(token)) != null)
{
FormsAuthentication.SetAuthCookie(user.Email, false);
}
else{ /* highly-proprietary handling of invalid token */ }
}
base.OnAuthorization(filterContext);
}
}
I am absolutely certain that SetAuthCookie is being called when it should and not being called when it shouldn't.
The problem is, that doesn't really log the user in. It sets a cookie, which means I'd have to redirect (User.Identity.IsAuthenticated remains false after calling SetAuthCookie.) But the whole idea about this is to continue the request as normal and avoid a pointless redirect. Is there some way to accomplish this goal? It doesn't really seem like a whole lot to ask...
After you call SetAuthCookie, nothing changes with the User.Identity. On the next request, the data will be what you are expecting. The best thing to do here is to issue a redirect after SetAuthCookie has been called.
Related
I want to be able to have a single Bool method that checks if a user is logged in, and if so returns the token to be used in the API header.
func isLoggedIn() -> Bool {
if let authToken = AuthManager.loadAuthToken() {
if authToken.expiration.isGreaterThanDate(Date()) {
return true
} else {
let authAPI = AuthenticationAPI()
authAPI.refreshToken(token: authToken.token) { (results) in
switch results {
case .success(let response):
[HAVE PARENT METHOD RETURN TRUE]
case .failure:
removeAuthToken()
[HAVE PARENT METHOD RETURN FALSE]
}
}
}
}
return false
}
I have this mostly working, however, I am running into a wall trying to figure out how to allow the app to attempt the refresh token call when there is a token present, but it is expired.
Semaphores seem like the way to go, but seem to quickly complicate the code. Is this the way it should be done or is there a better approach that is usually done for this?
I take a different approach.
In an AuthManager type of class, I store the token in an optional var. If the token is present, then I assume it is valid to be used in an API call. In the didSet for the token, there is a Notification.Name.authStatusDidChange notification which is sent so the app can respond accordingly.
If the API call returns a 401 then I notify the AuthManager to clear the token (which triggers the notification, and in my case shows the login flow).
However, you could have additional logic which rather than clearing the token, the Authmanager first tries to refresh it. If the refresh succeeds, then a different notification is sent to retry the API request. Otherwise it clears the token and triggers a sign in.
While I was Typing - Like Michal said, with a little more detail.
Currently using grails 2.2.2
I've been trying to implement tokens into my application and have come up with this issue. We try to avoid re-rendering pages because it can be very slow so we return JSON instead. The following is a basic controller call that we use but I'm not sure what I should be doing to reset/get a new token.
public saveThing(ThingCommand cmd) {
Map model = [:]
withForm {
try {
thingService.saveThing(cmd)
model.success = true
} catch (Exception e) {
model.error = true //any validation errors or anything else
// RESET TOKEN HERE/GET NEW TOKEN?
}
}.invalidToken {
model.invalidToken = true
}
render model as JSON
}
From my understanding the token is thrown away once the withForm closure is executed. This causes an issue since I don't actually re-render the form which seems to be the normal way of generating a new token. How could I do this manually or is there an easier way to do this (plugin?)
Thanks!
Form tokens through withForm are not designed to be used with AJAX requests. They are designed to be used with HTML forms and POST requests which re-render the form and generate a new token for the form.
In order to make them work with JSON/AJAX requests you will need to implement your own token generation when you process the request and reject it. A good starting place would be to look at the old tests which test withForm. This should give you an idea on how tokens are created and stored.
Im trying to style my login page. My login url is website/Security/login. Im trying to locate the 'login' piece of the url. What have i done wrong below?
public function DisplayPageType() {
$param = $this->request->param('Action');
if ($param === 'login')
{
return 'Login';
}
Thanks
I think that won't work since the controller during render is the Page_Controller and not the Security controller. So the $Action param is not equal to login. It could be index, I'm not sure.
If you just want to check if you're in the login page, you can add this to your Page_Controller:
public function getIsLoginPage()
{
return $_REQUEST['url'] == '/Security/login';
}
Then in your template:
<body class="<%if $IsLoginPage %>login-page<% end_if %>">
A bit dirty but it's the quickest way I know.
Another way is to leverage SilverStripe's legacy support. You can add a css file called tabs.css at mysite/css/tabs.css. If this file exists, SilverStripe will include this in the page.
You can also create templates that SilverStripe will automatically use if they exist:
themes/<theme_name>/Security.ss - If you want your login page to use an entirely different layout.
themes/<theme_name>/Layout/Security_login.ss - If you want to change just the content part (the $Layout section)
I hope this helps.
#gpbnz is right, the $Action param is not equal to login, it actually returns null as accessing $this->request from the Page_Controller when accessing the Security/login returns a NullHTTPRequest.
To get the action, you will want to get the current controller using Controller::curr(). It is then as simple as calling getAction on this controller.
To confirm that the action isn't from a random controller that happens to have an action called login, you can check the instanceof the controller like so: Controller::curr() instanceof Security
This check will still allow it to work for any controller that extends Security though which may/may not happen depending on the project.
I would stick away from actually reading the URL for the information manually though as that can create issues with maintainability in the future.
To bring this to a nice little function:
public function isLoginPage()
{
$controller = Controller::curr();
return $controller instanceof Security && $controller->getAction() == 'login';
}
Otherwise #gpbnz had a good suggestion of using the template system to your advantage for overriding not only the styles but the HTML around it.
I am trying to incorporate the CSRFGuard library in order to rectify some CSRF vulnerabilties in an application. However after configuring as specified here I am now getting the below messages in the log, when I navigate the application:
WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:169.xx.x.xxx, uri:/myapp/MyAction, error:request token does not match session token)
Through including the:
<script src="/sui/JavaScriptServlet"></script>
On my main.jsp page the links have all been built incorporating the CSRFGuard token, e.g.
......./myapp/MyAction?CSRFTOKEN=BNY8-3H84-6SRR-RJXM-KMCH-KLLD-1W45-M18N
So I am unable to understand what I'm doing wrong that could cause the links to pass a token other than the expected value.
Please let me know if any additional information would make it easier to understand.
In case anyone stumbles across a similar issue:
Turned out that accessing the app using IE wasn't passing a token to an AJAX call, this would in turn result in the tokens being refreshed but the links in the already rendered page remained, causing the mismatch when clicked.
Found out the issue by building CSRFGuard myself from source and adding extra logging.
The primefaces commandlink and commandbutton seem to cause the csrfguard javascript to malfunction, if you have use these two component with ajax set to true (which is the default), it can prevent the token being injected after the ajax call
One of the possible fixes is to change the following 2 lines in Owasp.CsrfGuard.js file.
Change
function injectTokenForm(form, tokenName, tokenValue, pageTokens) {
var action = form.attribute("action");
To
function injectTokenForm(form, tokenName, tokenValue, pageTokens) {
var action = form.attributes["action"].value;
AND
Change
function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {
location = element.getAttribute(attr);
To
function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {
var location = null;
if (attr == "action") {
location = element.attributes[attr].value;
} else {
location = element.getAttribute(attr);
}
Hi am starting off with Zend Framework and have a question about action helpers. My first application is a simple authentication system (following a tutorial from a book). The registration and authentication seems to work fine but the redirect doesn't.
I have a customer controller that has this among others:
class CustomerController extends Zend_Controller_Action
{
// some code here......
public function authenticateAction()
{
$request = $this->getRequest();
if (!$request->isPost()) {
return $this->_helper->redirector('login');
}
// Validate
$form = $this->_forms['login'];
if (!$form->isValid($request->getPost())) {
return $this->render('login');
}
if (false === $this->_authService->authenticate($form->getValues())) {
$form->setDescription('Login failed, please try again.');
return $this->render('login');
}
return $this->_helper->redirector('index');
}
the authenticate url is http://localhost/customer/authenticate and this seems to work fine but it does not redirect. After authentication I get a blank page which looks like its taking me to the index and just sits there. I tried using '/index' instead but that did not help either. Do I need to do anything special to make the redirector helper work? I have a logout action which behaves the same.
You should call
$this->_helper->redirector('index');
without the return.
I found out there may be a problem with my setup. The code above is perfect, works on another computer.