Jump to content

How do I Authenticate with a Web Browser

Recommended Posts

I am writing a server using MARS with the client being a web browser (e.g. firefox) sending form data to the server.

I don't want every user to be able to access the form, so I need to implement a login/authentication system.


The authentication demo code I've seen ('MARS-Repository\MARS\Demos\Authorization\') seems to require using MARS client-code, which I don't think is possible if the client is a web browser.


Do I need to write my own authentication code or is there some way I can leverage MARS's authentication code for this purpose?


Share this post

Link to post

Hi @Yaron,

web applications may authenticate following several different schemas.


One of them is handling authentication and authorization through a token (Authentication Bearer schema) that for convenience may also be embedded into requests through the use of a cookie.

This kind of authorization/authentication schema is built-in with MARS and relies on JWT (https://jwt.io/) technology.

This means I've made some work to integrate JWT in MARS and it is provided as an example of authentication/authorization mechanism but it does not mean it is mandatory to use it, you can consider it as a working example. It is also production-ready BTW.


The typical use case:

1) the client (JS or whatever) should get a token from the server (make a POST request to the included TTokenResource class)

2) store the token somewhere on the client-side (or rely on the cookie that the server instructs to keep when successful authentication is done)

3) endorse the token within each client request through the Authentication header ("Bearer <TOKEN>") or rely on browser sending the cookie back to the server


On the server side, you may ask MARS to provide you an instance of TMARSToken through the Dependency Injection mechanism built-in with MARS. Just add a "[Context] TheToken: TMARSToken;"
field to your resource class and you'll get a valid instance (check TheToken.Verified, TheToken.UserName and other properties).


Also check the Authentication demo and try to open a browser at the following URL: http://localhost:8080/rest/default/token/html

You can use Chrome Developer Tools to see requests and cookies.


Let me know if this helps, otherwise I may add a demo of a simple webapp using Bootstrap and performing authentication.




Share this post

Link to post

Is there documentation on how to use MARS to embed data in a cookie and retrieve it on subsequent calls?


And of course, any additional sample code would be a blessing.

Edited by Yaron

Share this post

Link to post

Hi @Yaron,

if you are using MARS develop branch, you can do as the following example:


uses MARS.Core.RequestAndResponse.Interfaces

THelloWorldResource = class
    [Context] Response: IMARSResponse;
    [GET, Path('cookietest')]
    function MyMethod(): TJSONObject;

function THelloWorldResource.MyMethod: TJSONObject;
  Result := TJSONObject.Create;
  Result.WriteStringValue('msg', 'This method will also set MyCookie value to current time');
  Response.SetCookie('MyCookie', TimeToStr(Now), 'localhost', '/', Now+1, True);


If you are using MARS master branch, it should be very similar but you need to use TMARSResponse instead of IMARSResponse (and the MARS.Core.RequestAndResponse.Interfaces unit is not available).

But the SetCookie method call should be the same.

This example sets the MyCookie value to the current time (string) for 'localhost' domain (you may want to read the actual host from the incoming request) and for every path matching '/'. Expiration is set 1 day after the request and the Secure flag is set to True.






Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now