Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support a new "secret" auth method on the phone
This is a partial fix for issue e-mission/e-mission-docs#628 The new method assumes that all tokens are prefixed by a shared secret between the server and the client. This means that all tokens have two parts both of which are validated by the method. - The second part is used to identify the user, randomly generating it on the phone ensures that users can only see their own data. - The first shared part is configured into both the app and the server. It ensures that users can only connect to the server from authorized clients, which in this case, are smartphone apps that embed the secret. + bonus fix to generate the correct error (403 instead of 401) in case of auth errors Testing done: - configured the webserver to use the secret method - configured one valid secret `"FOOBAR"` - auth failed on the server ``` END 2021-03-16 11:33:43.257294 POST /result/metrics/timestamp 0.00736689567565918 Traceback (most recent call last): File "emission/net/api/cfc_webapp.py", line 594, in getUUID retUUID = enaa.getUUID(request, auth_method, inHeader) File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/auth.py", line 67, in getUUID retUUID = getUUIDFromToken(authMethod, userToken) File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/auth.py", line 41, in getUUIDFromToken userEmail = AuthMethodFactory.getAuthMethod(authMethod).verifyUserToken(token) File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/secret.py", line 29, in verifyUserToken (token, len(self.client_secret_list))) ValueError: Invalid token REPLACEMEkVVdF9rT, not found in list of length 1 ``` - reflected on the client ``` 2021-03-16 11:32:58.087 23394-23394/edu.berkeley.eecs.emission.devapp I/chromium: [INFO:CONSOLE(145)] "Error loading user data"While pushing/getting from server HTTP/1.1 403 Forbidden"", source: http://localhost/_app_file_/data/user/0/edu.berkeley.eecs.emission.devapp/files/phonegapdevapp/www/index.html (145) 2021-03-16 11:32:58.087 23394-23394/edu.berkeley.eecs.emission.devapp I/chromium: [INFO:CONSOLE(145)] "ERROR:Error loading user data"While pushing/getting from server HTTP/1.1 403 Forbidden"", source: http://localhost/_app_file_/data/user/0/edu.berkeley.eecs.emission.devapp/files/phonegapdevapp/www/index.html (145) ``` - configured the same valid secret as the phone `"REPLACEME"` e-mission/e-mission-phone@c00f63b - auth succeded on server ``` START 2021-03-16 11:36:22.818484 POST /result/metrics/timestamp END 2021-03-16 11:36:22.832453 POST /result/metrics/timestamp cf8ccb7b-84d7-40e4-a726-7691e614b042 0.013911962509155273 ``` - reflected on client ``` 2021-03-16 11:36:21.821 23394-23539/edu.berkeley.eecs.emission.devapp D/ConnectionSettings: in getConnectURL, connectionSettings = {"connectUrl":"http:\/\/10.0.2.2:8080","android":{"auth":{"method":"prompted-auth","clientID":"ignored"}},"ios":{"auth":{"method":"prompted-auth","clientID":"ignored"}}} 2021-03-16 11:36:21.832 23394-23539/edu.berkeley.eecs.emission.devapp D/ConnectionSettings: in getConnectURL, returning http://10.0.2.2:8080 2021-03-16 11:36:21.836 23394-9405/edu.berkeley.eecs.emission.devapp I/System.out: Posting data to http://10.0.2.2:8080/result/metrics/timestamp 2021-03-16 11:36:21.836 23394-9405/edu.berkeley.eecs.emission.devapp I/System.out: About to execute query SELECT data FROM userCache WHERE key = 'prompted-auth' AND type = 'local-storage' AND write_ts >= 0.0 AND write_ts <= 1.615919781836E12 ORDER BY write_ts DESC 2021-03-16 11:36:21.848 23394-9405/edu.berkeley.eecs.emission.devapp I/PromptedAuth: Auth found in local storage, now it should be stable 2021-03-16 11:36:21.887 23394-9405/edu.berkeley.eecs.emission.devapp I/CommunicationHelper: Got response org.apache.http.message.BasicHttpResponse@c89c5d6 with status HTTP/1.1 200 OK ```
- Loading branch information
