OData Web Token Security and Validation

[barrymavin]

Hi Hank

http or https is the same technique. You just need to read the login() code in LianjaCloudDataServices.js and you will see how to send the authentication username and password. If you are not running in a browser you need to read the raw http response header and send the cookies it contains back on future requests. That's how browsers work so you just have to look like a browser to the remote Lianja Cloud Server. In other words use the http protocol.

[rcahoon]

Barry,

I'm having no luck using the revised Logout() function in LianjaCloudDataServices.js. The browser hangs on the ajax call to logoutsession.rsp in this.logout().

At present I'm using a call to Login(' ', ' ') as a workaround as this appears to do the trick and even changes the new flag setting on the auth token allowing it to be removed using removeCookieVar().

Cheers,

Rob C

[HankFay]

Hey Rob, nice workaround!

[barrymavin]

Rob,

Yes that will work. I'll fix logout() up before today's release of 3.3.

[rcahoon]

Barry,

I'm dong some authentication testing and I've found something a bit odd.

I have three users configured as follows:
admin/admin with user roles '*'
rob/password with user roles 'Special'
tom/password with user roles 'NotSpecial'

When logged out with a clear cache, if you call window.Lianja.cloudserver.isLoggedIn() followed immediately by window.Lianja.login('user,'password), it results in the user and auth tokens being set to 'guest' and the user roles being set to the user roles of the user specified in login().

So if I'm logged out, calling isLoggedIn() followed by login('rob','password') results in my user and auth tokens being set to 'guest' while the user roles are set to 'Special'.

If you run make another call to the server between isLoggedIn() and Login(), everything works as expected.

So, if I'm logged out, calling isLoggedIn() followed by a call to '/library/example_cookies.rsp' followed by login('rob','password') results in my user and auth tokens being set to 'rob' with the user roles set to 'Special'.


At first I thought this was a side affect of my using login(' ',' ') as a logout() workaround though I'm not so sure since everything appears to work as expected if isLoggedIn() is never called.

Cheers,

Rob C.

[barrymavin]

Rob,

Well ok but you are calling undocumented functions that we use internally.

Are you referring to LianjaCloudDataServices or are you referring to Lianja Apps?

[rcahoon]

Barry,

I understand.

At present I'm testing the LianjaCloudDataService.js. with an eye towards translating it into an Angular 2 Lianja Service.

I was looking at isLoggedIn() as a model for confirming a users status via a call to the server. I will also be creating a "local" method that confirms the users status using the local tokens, i.e. without a call to the server.

At this point I'm in just testing and working out the proper way to go the things I need to do.

Cheers,

Rob C.

[barrymavin]

Rob,

We will be releasing 3.3 today or tomorrow. I will take a look at this but in my tests that I just did in Lianja apps all works as expected.

[rcahoon]

Barry,

No worries. At this point I assume it's related to my work around or to to something in my code.

I'm in the process of writing an Angular 2 Lianja authentication module which will include a series of API tests to highlight any issues.

Cheers,

Rob C.

[rcahoon]

Barry,

The issue does appear to be related my calling login with empty credentials to logout. If I replace the empty credentials with know bad credentials, ie. login('-','-'), the fault disappears.

This being the case, once the logout() issue is fixed, everything will be good.

Cheers,

Rob C.