Rails metal http basic auth - ruby-on-rails-3

I am trying to use HTTP basic authentication when a remote service hits one of my Rails metal endpoints.
I am wondering how to get access to the username and password of the request. So far, I have printed out the entire env object and can't find the username or password anywhere in that object.
Instead, I see
"HTTP_AUTHORIZATION"=>"Basic YW5yZ3JpZDpzYWZlbWFpbA==", "PASSENGER_CONNECT_PASSWORD"=>"U4vAn6lVAOe2C8nIQSWT93j3SFJkA5VxOicSeDspF9a"
But I am not sure what to do with this.
Ideally, I'd like to do something like:
class MyHook
def self.call(env)
user = env[...]
pass = env[...]
if (user == "foo" && pass == "pass")
# do stuff
end
end
end
Thanks!

require 'base64'
# Decode the colon-separated, base64-encoded user and password after "Basic "
user, pass = Base64.decode64(env['HTTP_AUTHORIZATION'].split[1]).split ':', 2
I would definitely retire the password you posted encoded with your question. :-)

Related

Send auth_token for authentication to ActionCable

module ApplicationCable
class Connection < ActionCable::Connection::Base
identified_by :current_user
def connect
#puts params[:auth_token]
self.current_user = find_verified_user
logger.add_tags 'ActionCable', current_user.name
end
end
end
I don't use web as end point for action cable, so I want to use auth_token for authentication. By default action cable use session user id for authentication. How to pass params to connect method?
I managed to send my authentication token as a query parameter.
When creating my consumer in my javascript app, I'm passing the token in the cable server URL like this:
wss://myapp.com/cable?token=1234
In my cable connection, I can get this token by accessing the request.params:
module ApplicationCable
class Connection < ActionCable::Connection::Base
identified_by :current_user
def connect
self.current_user = find_verified_user
logger.add_tags 'ActionCable', current_user.name
end
protected:
def find_verified_user
if current_user = User.find_by(token: request.params[:token])
current_user
else
reject_unauthorized_connection
end
end
end
end
It's clearly not ideal, but I don't think you can send custom headers when creating the websocket.
Pierre's answer works. However, it's a good idea to be explicit about expecting these parameters in your application.
For instance, in one of your config files (e.g. application.rb, development.rb, etc...) you can do this:
config.action_cable.mount_path = '/cable/:token'
And then simply access it from your Connection class with:
request.params[:token]
Unfortunately for websocket connections, additional headers and custom ones are not supported1 by most2 websocket clients and servers.
So the possible options are:
Attach as an URL parameter and parse it on the server
path.to.api/cable?token=1234
# and parse it like
request.params[:token]
Cons: It could be vulnerable as it may end up in logs and system process information available to others that have access to the server, more here
Solution: Encrypt the token and attach it, so even if it can be seen in the logs, it would serve no purpose until its decrypted.
Attach JWT in one of the allowed parameters.
Client side:
# Append jwt to protocols
new WebSocket(url, existing_protocols.concat(jwt))
I created a JS library action-cable-react-jwt for React and React-Nativethat just does this. Feel free to use it.
Server side:
# get the user by
# self.current_user = find_verified_user
def find_verified_user
begin
header_array = self.request.headers[:HTTP_SEC_WEBSOCKET_PROTOCOL].split(',')
token = header_array[header_array.length-1]
decoded_token = JWT.decode token, Rails.application.secrets.secret_key_base, true, { :algorithm => 'HS256' }
if (current_user = User.find((decoded_token[0])['sub']))
current_user
else
reject_unauthorized_connection
end
rescue
reject_unauthorized_connection
end
end
1 Most Websocket APIs (including Mozilla's) are just like the one below:
The WebSocket constructor accepts one required and one optional
parameter:
WebSocket WebSocket(
in DOMString url,
in optional DOMString protocols
);
WebSocket WebSocket(
in DOMString url,
in optional DOMString[] protocols
);
url
The URL to which to connect; this should be the URL to which the
WebSocket server will respond.
protocols Optional
Either a single protocol string or an array of protocol strings. These
strings are used to indicate sub-protocols, so that a single server
can implement multiple WebSocket sub-protocols (for example, you might
want one server to be able to handle different types of interactions
depending on the specified protocol). If you don't specify a protocol
string, an empty string is assumed.
2 There are always excpetions, for instance, this node.js lib ws allows building custom headers, so you can use the usual Authorization: Bearer token header, and parse it on the server but both client and server should use ws.
As I already stated in a comment the accepted answer is not a good idea, simply because the convention is that the URL should not contain such sensitive data. You can find more information here: https://www.rfc-editor.org/rfc/rfc6750#section-5.3 (though this is specifically about OAuth).
There is however another approach: Use HTTP basic auth via the ws url. I found that most websocket clients allow you to implicitly set the headers by prepending the url with http basic auth like this: wss://user:pass#yourdomain.com/cable.
This will add the Authorization header with a value of Basic .... In my case I was using devise with devise-jwt and simply implemented a strategy which inherited from the one provided in the gem which pulls the jwt out of the Authorization header. So I set the url like this: wss://TOKEN#host.com/cable which sets the header to this (pseudo): Basic base64("token:") and parse that in the strategy.
In case any of you would like to use ActionCable.createCustomer. But have renewable token as I do:
const consumer = ActionCable.createConsumer("/cable")
const consumer_url = consumer.url
Object.defineProperty(
consumer,
'url',
{
get: function() {
const token = localStorage.getItem('auth-token')
const email = localStorage.getItem('auth-email')
return consumer_url+"?email="+email+"&token="+token
}
});
return consumer;
Then in case that the connection is lost it will be opened with a fresh new token.
to add to previous answers, if you used your JWT as a param, you're going to have to at least btoa(your_token) #js and Base64.decode64(request.params[:token]) #rails as rails considers dot '.' a separator so your token will be cut off #rails params side
Another way (the way I did it in the end instead of my other answer) would be to have a authenticate action on your channel. I used this to determine the current user and set it in the connection/channel. All the stuff is send over websockets so credentials are not an issue here when we have it encrypted (i.e. wss).
I was asked about it recently and want to share the solution that I currently use in production systems.
class MyChannel < ApplicationCable::Channel
attr_accessor :current_user
def subscribed
authenticate_user!
end
private
# this works, because it is actually sends via the ws(s) and not via the url <3
def authenticate_user!
#current_user ||= JWTHelper.new.decode_user params[:token]
reject unless #current_user
end
end
Then re-use warden strategies to work with that JWT (and let it handle all possible edge cases and pitfalls).
class JWTHelper
def decode_user(token)
Warden::JWTAuth::UserDecoder.new.call token, :user, nil if token
rescue JWT::DecodeError
nil
end
def encode_user(user)
Warden::JWTAuth::UserEncoder.new.call(user, :user, nil).first
end
end
Though I didn't use ActionCable for the frontend it should roughly work like this:
this.cable.subscriptions.create({
channel: "MyChannel",
token: "YOUR TOKEN HERE",
}, //...
It is also possible to pass the authentication token in the request headers and then validate the connection by accessing the request.headers hash.
For example, if the authentication token were specified in a header called 'X-Auth-Token' and your User model have a field auth_token you could do:
module ApplicationCable
class Connection < ActionCable::Connection::Base
identified_by :current_user
def connect
self.current_user = find_verified_user
logger.add_tags 'ActionCable', current_user.id
end
protected
def find_verified_user
if current_user = User.find_by(auth_token: request.headers['X-Auth-Token'])
current_user
else
reject_unauthorized_connection
end
end
end
end
As for security of Pierre's answer: If you're using WSS protocol, which uses SSL for encryption, then the principles for sending secure data should the same as for HTTPS. When using SSL, query string parameters are encrypted as well as the body of the request. So if in HTTP APIs you're sending any kind of token through HTTPS and deem it secure, then it should be the same for WSS. Just remember that the same as for HTTPS, don't send credentials like password through query parameters, as the URL of the request could be logged on a server and thus stored with your password. Instead use things like tokens that are issued by the server.
Also you can check this out (this basically describes something like JWT authentication + IP address verification): https://devcenter.heroku.com/articles/websocket-security#authentication-authorization.

Sinatra: How to password protect entire site with ONLY password, and not a basic HTTP auth?

I have a Sinatra app that I want to password protect on a very basic level. The basic idea is that there would be a page with a single input box where you would type in a password. If the correct password in submitted, then you have access to the rest of the site. If you tried to access the site without the password, it should redirect you to the password page.
I can do this with a basic HTTP Auth:
use Rack::Auth::Basic do |username, password|
password == 'password'
end
but I want to have a decent looking page for only the password, rather than using the HTTP authentication.
Is there a gem/method to do this easily?
It's fairly simple to implement something like this. But since I had the same problem in the beginning I help you out here.
use Rack::Session::Pool
helpers do
def loged? ; session["isLogdIn"] == true; end
def protected! ; halt 401 unless admin? ; end
end
get "/login/?" do
erb :login
end
post '/login/?' do
if params['password'] == "mypassword"
session["isLogdIn"] = true
redirect '/'
else
halt 401
end
end
get('/logout/?'){ session["isLogdIn"] = false ; redirect '/' }
get 'myprotectedpage' do
protected!
erb :view
end
Of course you can extend this an hash the password and so on.
A gem which does such things is https://github.com/hassox/warden but I never used it.

How do you use Snap's authentication mechanisms during a single POST request?

I'm working on a Haskell Snap-based web app, and I want to expose an API endpoint that will be invoked by a remote service without establishing an authenticated session a-priori; however, I do want that request to be authenticated, so the credentials should be provided at the time of the request.
You could imagine the request containing four fields:
username
password
payload id
payload file
The payload id and file might be irrelevant for this question, but I include them because I (a) need to support file uploads in this request (which, as I understand it, restricts the encoding used to send fields) and (b) need to retrieve at least one non-file field. The combination of those things posed some difficulty when I set this up without authentication, so perhaps it is relevant.
In Snap parlance, let's call this handler uploadHandler.
As indicated above, I have this working fine without authentication, with a setup like this:
uploadHandler :: Handler App App ()
uploadHandler = do
-- collect files / form fields and process as needed.
-- and using the routes:
routes :: [(ByteString, Handler App App ())]
routes = [ ("/login", with auth handleLoginSubmit)
, ("/logout", with auth handleLogout)
, ("/new_user", with auth handleNewUser)
-- handle the upload:
, ("/upload", handleUpload)
]
The naive solution is to simply add 'with auth' and change the type of handleUpload:
uploadHandler :: Handler App (AuthManager App) ()
uploadHandler = do
-- collect files / form fields and process as needed.
-- and using the routes:
routes :: [(ByteString, Handler App App ())]
routes = [ ("/login", with auth handleLoginSubmit)
, ("/logout", with auth handleLogout)
, ("/new_user", with auth handleNewUser)
-- handle the upload, with auth:
, ("/upload", with auth handleUpload)
]
However, this seems to require two requests: (i) authenticate and establish a session, (ii) send the POST request containing the actual payload.
I found a way to do this in one request, but it seems like there should be a more elegant means. Here's the example restricted POST handler I've hacked together:
restrictedPOST :: Handler App (AuthManager App) ()
restrictedPOST = do
mName <- getPostParam "username"
mPass <- getPostParam "password"
let uName = C8.unpack $ fromMaybe "" mName
pass = ClearText $ fromMaybe "" mPass
authResult <- loginByUsername (T.pack uName) pass False
case authResult of
Left authFail -> writeText "Could not log in"
Right user -> writeText (T.append "Hello " (userLogin user))
Is there something like 'with auth' that I can use instead of turning this example (restrictedPOST) into a combinator? I realize it may need to know which fields to get credentials out of, but I also know very little about web services (maybe there is another means? Maybe this is a total non-issue, and I just don't know how to check auth for POST requests. I'm open to any suggestions!)
I don't think you understand what with auth is doing. It has nothing to do with whether authentication is required. All it does is convert a Handler b (AuthManager b) into a Handler b v. No permissions checks are performed. Your restrictedPOST function has the right idea.

Authenticating stomp web socket clients

I have a ruby on rails application deployed to torquebox. I need some way to secure the websockets in my application. I am using the stomp websockets , is there a way to authenticate users while they make a websocket connection? I could use the username and password parameters but they are currently ignored. Is there any other way to authenticate this connection? Thanks!
You can authenticate a message to a Stomplet by using the session and a stored token. For this to work, you have to setup Rails to use the Torquebox session store. This can be done with an initializer, such as config/initializers/torquebox_init.rb:
AppName::Application.config.session_store :torquebox_store
Now the Stomplet will have access to the session. Here is an example Stomplet that uses the session param :authentication_token to match the User's authentication_token in the database. The auth token is checked for subscribing, sending a message, and unsubscribing:
require 'torquebox-stomp'
class StompletDemo
def initialize()
super
#subscribers = []
end
def configure(stomplet_config)
end
def on_message(stomp_message, session)
token = session[:authentication_token]
if is_authenticated?( token )
#subscribers.each do |subscriber|
subscriber.send( stomp_message )
end
end
end
def on_subscribe(subscriber)
session = subscriber.session
if is_authenticated?(session[:authentication_token])
#subscribers << subscriber
end
end
def on_unsubscribe(subscriber)
session = subscriber.session
if is_authenticated?(session[:authentication_token])
#subscribers.delete( subscriber )
end
end
def is_authenticated?(token)
User.where( authentication_token: token ).exists?
end
end
Now all you have to do is make sure that when the user authenticates, the session[:authentication_token] is set. Mostly like this will be set in a controller:
# user has successfully authenticates
session[:authentication_token] = #user.authentication_token
For other people having this issue, this is how I solved it.
https://gist.github.com/j-mcnally/6207839
Basically the token system didnt scale for me, especially since I use devise.
If you want to host your websocket in say a chrome extension its easier to just pass username/password directly to stomp and have it manage its own virtual subscriber sessions in the stomplet. This also allow you to do some fun things as far as who you are pushing to.

urllib2 basic authentication is a hit and miss

i am having some problem with the authentication in urllib2, it is hitting some pages
like i have
https://localhost:5260/user
I am using a basic authentication for this and its working fine, a page is retrieved correctly
username = 'test'
password = 'test'
base64string = base64.encodestring('%s:%s' % (username, password))[:-1]
authheader = "Basic %s" % base64string
but when i apply the same thing to another page which the user is an admin and trying to access, its not returning the page with authentication
https://localhost:5260/post/250
I understand this is something do with the state which is saved, but i am not able to figure it out.
This seems trivial now, I need to set the cookie and pass that information to the server :)
The link below gives a good description of how to look at it.
http://www.voidspace.org.uk/python/articles/cookielib.shtml