How do I Authenticate with a Web Browser

[Yaron 53]

I am writing a server using MARS with the client being a web browser (e.g. firefox) sending form data to the server.

I don't want every user to be able to access the form, so I need to implement a login/authentication system.

 

The authentication demo code I've seen ('MARS-Repository\MARS\Demos\Authorization\') seems to require using MARS client-code, which I don't think is possible if the client is a web browser.

 

Do I need to write my own authentication code or is there some way I can leverage MARS's authentication code for this purpose?

 

[Andrea Magni 75]

Hi @Yaron,

web applications may authenticate following several different schemas.

 

One of them is handling authentication and authorization through a token (Authentication Bearer schema) that for convenience may also be embedded into requests through the use of a cookie.

This kind of authorization/authentication schema is built-in with MARS and relies on JWT (https://jwt.io/) technology.

This means I've made some work to integrate JWT in MARS and it is provided as an example of authentication/authorization mechanism but it does not mean it is mandatory to use it, you can consider it as a working example. It is also production-ready BTW.

 

The typical use case:

1) the client (JS or whatever) should get a token from the server (make a POST request to the included TTokenResource class)

2) store the token somewhere on the client-side (or rely on the cookie that the server instructs to keep when successful authentication is done)

3) endorse the token within each client request through the Authentication header ("Bearer <TOKEN>") or rely on browser sending the cookie back to the server

 

On the server side, you may ask MARS to provide you an instance of TMARSToken through the Dependency Injection mechanism built-in with MARS. Just add a "[Context] TheToken: TMARSToken;"
field to your resource class and you'll get a valid instance (check TheToken.Verified, TheToken.UserName and other properties).

 

Also check the Authentication demo and try to open a browser at the following URL: http://localhost:8080/rest/default/token/html

You can use Chrome Developer Tools to see requests and cookies.

 

Let me know if this helps, otherwise I may add a demo of a simple webapp using Bootstrap and performing authentication.

 

Sincerely,

Andrea

[Yaron 53]

Is there documentation on how to use MARS to embed data in a cookie and retrieve it on subsequent calls?

 

And of course, any additional sample code would be a blessing.

Edited June 6, 2019 by Yaron

[Andrea Magni 75]

Hi @Yaron,

if you are using MARS develop branch, you can do as the following example:

 

uses MARS.Core.RequestAndResponse.Interfaces

THelloWorldResource = class
  //...
protected
    [Context] Response: IMARSResponse;
public
    [GET, Path('cookietest')]
    function MyMethod(): TJSONObject;
end;

function THelloWorldResource.MyMethod: TJSONObject;
begin
  Result := TJSONObject.Create;
  Result.WriteStringValue('msg', 'This method will also set MyCookie value to current time');
  Response.SetCookie('MyCookie', TimeToStr(Now), 'localhost', '/', Now+1, True);
end;

 

If you are using MARS master branch, it should be very similar but you need to use TMARSResponse instead of IMARSResponse (and the MARS.Core.RequestAndResponse.Interfaces unit is not available).

But the SetCookie method call should be the same.

This example sets the MyCookie value to the current time (string) for 'localhost' domain (you may want to read the actual host from the incoming request) and for every path matching '/'. Expiration is set 1 day after the request and the Secure flag is set to True.

 

Sincerely,

Andrea