Authentication with JWT

Alex_Egorov · December 9, 2019, 9:37am

Hello,

Have several questions about authentication using JWT:


Module.AddMiddleware(TJwtMiddleware.Create('secret', True));

1. We must use the 'secret' here?

 
    Result := TJOSE.SHA256CompactToken('secret', JWT);

2. Above we use forbid anonymous access for TJwtMiddleware

How we can get Token for this situation?

Alex_Egorov · December 9, 2019, 9:38am

Also in the first question I mean: we must to use the same secret.

No way to edit messages in the forum?

wlandgraf · December 9, 2019, 6:42pm

You must create the token using a specific secret (just use random characters, not "secret" of course).

Then in the JWT middleware you should use the same secret so it's able to validate tokens generated by you.

Alex_Egorov · December 9, 2019, 6:48pm

Ok, thanks, what you can recommend with forbidden anonymous access:

Module.AddMiddleware(TJwtMiddleware.Create('secret', True));

How we should implement the first time connect to get Token?

Alex_Egorov · December 19, 2019, 1:39pm

Hello again,

I'm have this code:


  // Auth Service
  AuthModule := TXDataServerModule.Create('http://+:' + APort + '/auth', CreateServicePool);
  AuthModule.AddMiddleware(TJwtMiddleware.Create('secret', False, True));
  IndyServer.Dispatcher.AddModule(AuthModule);


  // Data Services
  DataModule := TXDataServerModule.Create('http://+:' + APort + '/data', CreateServicePool);
  DataModule.AddMiddleware(TJwtMiddleware.Create('secret', True, True));
  IndyServer.Dispatcher.AddModule(DataModule);

This is possible to make available via Uri: 'http://+:' + APort + '/auth'

only one service for receiving token?
And all other service must be available via Uri: 'http://+:' + APort + '/data'

Or I should create one module for both?

Alex_Egorov · December 19, 2019, 1:57pm

And also question about CreateServicePool realization. Below 2 variants,

both are works, but which should be used?



  function CreateServicePool1: IDBConnectionPool;
  begin
    Result := TDBConnectionPool.Create(PoolSize, TDBConnectionFactory.Create(
      function: IDBConnection
      begin
        Result := TSQLiteNativeConnectionAdapter.Create(':memory:');
      end));
  end;



  function CreateServicePool: IDBConnectionPool;
  begin
    Result := TDBConnectionPool.Create(PoolSize, TDBConnectionFactory.Create(
      function: IDBConnection
      var
        Connection: TAureliusConnection;
      begin
        Connection := TAureliusConnection.Create(nil);
        Connection.Params.Values['Database'] := ':memory:';
        Connection.Params.Values['DriverID'] := 'SQLite';
        Result := Connection.CreateConnection;
        Connection.Free;
      end));
  end;

wlandgraf · December 26, 2019, 12:39pm

You can simply allow anonymous access in the middleware and then prevent accessing the protected API. Or, use a different Sparkle module for the protected part of the API and another one for the API that allows anonymous access.

wlandgraf · December 26, 2019, 12:40pm

Alex Egorov:

Hello again,

I'm have this code:
  // Auth Service
  AuthModule := TXDataServerModule.Create('http://+:' + APort + '/auth', CreateServicePool);
  AuthModule.AddMiddleware(TJwtMiddleware.Create('secret', False, True));
  IndyServer.Dispatcher.AddModule(AuthModule);


  // Data Services
  DataModule := TXDataServerModule.Create('http://+:' + APort + '/data', CreateServicePool);
  DataModule.AddMiddleware(TJwtMiddleware.Create('secret', True, True));
  IndyServer.Dispatcher.AddModule(DataModule);
This is possible to make available via Uri: 'http://+:' + APort + '/auth'
only one service for receiving token?
And all other service must be available via Uri: 'http://+:' + APort + '/data'

Or I should create one module for both?

Yes, sure, that's one good approach.

wlandgraf · December 26, 2019, 12:42pm

Alex Egorov:

And also question about CreateServicePool realization. Below 2 variants,
both are works, but which should be used?



  function CreateServicePool1: IDBConnectionPool;
  begin
    Result := TDBConnectionPool.Create(PoolSize, TDBConnectionFactory.Create(
      function: IDBConnection
      begin
        Result := TSQLiteNativeConnectionAdapter.Create(':memory:');
      end));
  end;



  function CreateServicePool: IDBConnectionPool;
  begin
    Result := TDBConnectionPool.Create(PoolSize, TDBConnectionFactory.Create(
      function: IDBConnection
      var
        Connection: TAureliusConnection;
      begin
        Connection := TAureliusConnection.Create(nil);
        Connection.Params.Values['Database'] := ':memory:';
        Connection.Params.Values['DriverID'] := 'SQLite';
        Result := Connection.CreateConnection;
        Connection.Free;
      end));
  end;

Both approaches are fine. But personally I'd prefer the first one as TAureliusConnection is actually just a wrapper around the first one.

Also note that specifically for SQLite in-memory databases, you should always have a pool of size 1, since each new in-memory SQLite database you create will be a different one.