Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support a new "secret" auth method on the phone #802

Merged
merged 3 commits into from
Mar 17, 2021
Merged

Support a new "secret" auth method on the phone #802

merged 3 commits into from
Mar 17, 2021

Conversation

shankari
Copy link
Contributor

This is a partial fix for issue
e-mission/e-mission-docs#628

The new method assumes that all tokens are prefixed by a shared secret between
the server and the client. This means that all tokens have two parts both of which are validated by the method.

  • The second part is used to identify the user, randomly generating it on the
    phone ensures that users can only see their own data.
  • The first shared part is configured into both the app and the server. It
    ensures that users can only connect to the server from authorized clients,
    which in this case, are smartphone apps that embed the secret.
  • bonus fix to generate the correct error (403 instead of 401) in case of auth errors

Testing done:

  • configured the webserver to use the secret method

  • configured one valid secret "FOOBAR"

    • auth failed on the server
    END 2021-03-16 11:33:43.257294 POST /result/metrics/timestamp  0.00736689567565918
Traceback (most recent call last):
  File "emission/net/api/cfc_webapp.py", line 594, in getUUID
    retUUID = enaa.getUUID(request, auth_method, inHeader)
  File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/auth.py", line 67, in getUUID
    retUUID = getUUIDFromToken(authMethod, userToken)
  File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/auth.py", line 41, in getUUIDFromToken
    userEmail = AuthMethodFactory.getAuthMethod(authMethod).verifyUserToken(token)
  File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/secret.py", line 29, in verifyUserToken
    (token, len(self.client_secret_list)))
ValueError: Invalid token REPLACEMEkVVdF9rT, not found in list of length 1
    • reflected on the client
    2021-03-16 11:32:58.087 23394-23394/edu.berkeley.eecs.emission.devapp I/chromium: [INFO:CONSOLE(145)] "Error loading user data"While pushing/getting from server HTTP/1.1 403 Forbidden"", source: http://localhost/_app_file_/data/user/0/edu.berkeley.eecs.emission.devapp/files/phonegapdevapp/www/index.html (145)
2021-03-16 11:32:58.087 23394-23394/edu.berkeley.eecs.emission.devapp I/chromium: [INFO:CONSOLE(145)] "ERROR:Error loading user data"While pushing/getting from server HTTP/1.1 403 Forbidden"", source: http://localhost/_app_file_/data/user/0/edu.berkeley.eecs.emission.devapp/files/phonegapdevapp/www/index.html (145)

  • configured the same valid secret as the phone "REPLACEME"
    e-mission/e-mission-phone@c00f63b

    • auth succeded on server
    START 2021-03-16 11:36:22.818484 POST /result/metrics/timestamp
END 2021-03-16 11:36:22.832453 POST /result/metrics/timestamp cf8ccb7b-84d7-40e4-a726-7691e614b042 0.013911962509155273
    • reflected on client
    2021-03-16 11:36:21.821 23394-23539/edu.berkeley.eecs.emission.devapp D/ConnectionSettings: in getConnectURL, connectionSettings = {"connectUrl":"http:\/\/10.0.2.2:8080","android":{"auth":{"method":"prompted-auth","clientID":"ignored"}},"ios":{"auth":{"method":"prompted-auth","clientID":"ignored"}}}
2021-03-16 11:36:21.832 23394-23539/edu.berkeley.eecs.emission.devapp D/ConnectionSettings: in getConnectURL, returning http://10.0.2.2:8080
2021-03-16 11:36:21.836 23394-9405/edu.berkeley.eecs.emission.devapp I/System.out: Posting data to http://10.0.2.2:8080/result/metrics/timestamp
2021-03-16 11:36:21.836 23394-9405/edu.berkeley.eecs.emission.devapp I/System.out: About to execute query SELECT data FROM userCache WHERE key = 'prompted-auth' AND type = 'local-storage' AND write_ts >= 0.0 AND write_ts <= 1.615919781836E12 ORDER BY write_ts DESC
2021-03-16 11:36:21.848 23394-9405/edu.berkeley.eecs.emission.devapp I/PromptedAuth: Auth found in local storage, now it should be stable
2021-03-16 11:36:21.887 23394-9405/edu.berkeley.eecs.emission.devapp I/CommunicationHelper: Got response org.apache.http.message.BasicHttpResponse@c89c5d6 with status HTTP/1.1 200 OK

shankari added 3 commits March 17, 2021 10:38
@shankari
Support a new "secret" auth method on the phone
460b9e4 
This is a partial fix for issue
e-mission/e-mission-docs#628

The new method assumes that all tokens are prefixed by a shared secret between
the server and the client. This means that all tokens have two parts both of which are validated by the method.
- The second part is used to identify the user, randomly generating it on the
  phone ensures that users can only see their own data.
- The first shared part is configured into both the app and the server. It
  ensures that users can only connect to the server from authorized clients,
  which in this case, are smartphone apps that embed the secret.

+ bonus fix to generate the correct error (403 instead of 401) in case of auth errors

Testing done:
- configured the webserver to use the secret method
- configured one valid secret `"FOOBAR"`
    - auth failed on the server
    ```
    END 2021-03-16 11:33:43.257294 POST /result/metrics/timestamp  0.00736689567565918
    Traceback (most recent call last):
      File "emission/net/api/cfc_webapp.py", line 594, in getUUID
        retUUID = enaa.getUUID(request, auth_method, inHeader)
      File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/auth.py", line 67, in getUUID
        retUUID = getUUIDFromToken(authMethod, userToken)
      File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/auth.py", line 41, in getUUIDFromToken
        userEmail = AuthMethodFactory.getAuthMethod(authMethod).verifyUserToken(token)
      File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/secret.py", line 29, in verifyUserToken
        (token, len(self.client_secret_list)))
    ValueError: Invalid token REPLACEMEkVVdF9rT, not found in list of length 1
    ```
    - reflected on the client
    ```
    2021-03-16 11:32:58.087 23394-23394/edu.berkeley.eecs.emission.devapp I/chromium: [INFO:CONSOLE(145)] "Error loading user data"While pushing/getting from server HTTP/1.1 403 Forbidden"", source: http://localhost/_app_file_/data/user/0/edu.berkeley.eecs.emission.devapp/files/phonegapdevapp/www/index.html (145)
    2021-03-16 11:32:58.087 23394-23394/edu.berkeley.eecs.emission.devapp I/chromium: [INFO:CONSOLE(145)] "ERROR:Error loading user data"While pushing/getting from server HTTP/1.1 403 Forbidden"", source: http://localhost/_app_file_/data/user/0/edu.berkeley.eecs.emission.devapp/files/phonegapdevapp/www/index.html (145)
    ```

- configured the same valid secret as the phone `"REPLACEME"`
    e-mission/e-mission-phone@c00f63b
    - auth succeded on server
    ```
    START 2021-03-16 11:36:22.818484 POST /result/metrics/timestamp
    END 2021-03-16 11:36:22.832453 POST /result/metrics/timestamp cf8ccb7b-84d7-40e4-a726-7691e614b042 0.013911962509155273
    ```
    - reflected on client
    ```
    2021-03-16 11:36:21.821 23394-23539/edu.berkeley.eecs.emission.devapp D/ConnectionSettings: in getConnectURL, connectionSettings = {"connectUrl":"http:\/\/10.0.2.2:8080","android":{"auth":{"method":"prompted-auth","clientID":"ignored"}},"ios":{"auth":{"method":"prompted-auth","clientID":"ignored"}}}
    2021-03-16 11:36:21.832 23394-23539/edu.berkeley.eecs.emission.devapp D/ConnectionSettings: in getConnectURL, returning http://10.0.2.2:8080
    2021-03-16 11:36:21.836 23394-9405/edu.berkeley.eecs.emission.devapp I/System.out: Posting data to http://10.0.2.2:8080/result/metrics/timestamp
    2021-03-16 11:36:21.836 23394-9405/edu.berkeley.eecs.emission.devapp I/System.out: About to execute query SELECT data FROM userCache WHERE key = 'prompted-auth' AND type = 'local-storage' AND write_ts >= 0.0 AND write_ts <= 1.615919781836E12 ORDER BY write_ts DESC
    2021-03-16 11:36:21.848 23394-9405/edu.berkeley.eecs.emission.devapp I/PromptedAuth: Auth found in local storage, now it should be stable
    2021-03-16 11:36:21.887 23394-9405/edu.berkeley.eecs.emission.devapp I/CommunicationHelper: Got response org.apache.http.message.BasicHttpResponse@c89c5d6 with status HTTP/1.1 200 OK
    ```
@shankari
Change the default IP address to 0.0.0.0
974e587 
Using `0.0.0.0` used to break on iOS but doesn't seem to any more.
Makes it easier for end to end testing on both android and iOS since android
requires `0.0.0.0` to accept connections from the emulator.
@shankari
Setting the default sample secret to REPLACEME
d0b77a2 
To match the phone default sample secret
shankari/e-mission-phone@c00f63b
@shankari shankari merged commit c23f98d into e-mission:master Mar 17, 2021
jf87 pushed a commit to jf87/e-mission-server that referenced this pull request Jun 21, 2021
@shankari
Merge pull request e-mission#802 from shankari/add_secret_auth
8e7f0c2 
Support a new "secret" auth method on the phone
@MukuFlash03 MukuFlash03 mentioned this pull request Mar 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@shankari