Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API to pass and retrieve hashed SIP password #353

Closed
ibc opened this issue Jan 15, 2016 · 9 comments
Closed

API to pass and retrieve hashed SIP password #353

ibc opened this issue Jan 15, 2016 · 9 comments
Assignees
Milestone

Comments

@ibc
Copy link
Member

ibc commented Jan 15, 2016

Goal:

  1. Pass uri and clear password as always.
  2. Add ua.getHashedPassword() that retrieves HA1=MD5(username:realm:password) (so we need to also set the realm somehow...
  3. Allow UA to be provided with uri and ha1Password instead of plain password.

@jmillan any concern about this?

@ibc ibc self-assigned this Jan 15, 2016
@ibc ibc added this to the 0.7.X milestone Jan 15, 2016
@saghul
Copy link
Contributor

saghul commented Jan 15, 2016

FWIW, me likey. I'd make the real optional, and set it to the domain by default. Asterisk uses 'asterisk' by default as the realm, so people may want to change it.

@ibc
Copy link
Member Author

ibc commented Jan 15, 2016

OK, so in practice we would want a new realm configuration param that would just be used when ha1Password is also provided, agreed?

let ua = new JsSIP.UA({
    uri: 'sip:[email protected]',
    password: '1234fuckmeeasy'
});

and:

let ua = new JsSIP.UA({
    uri: 'sip:[email protected]',
    realm: 'asterisk',  // optional, if not set defaults to "atlanta.com"
    ha1Password: 'iwudkasjhdk234asd'
});

@ibc
Copy link
Member Author

ibc commented Jan 15, 2016

NOTE FOR ME: once first authentication is done, the UA should delete the clear SIP password from its internal configuration object and automatically set the ha1Password and realm fields. In this way the lifetime of the clear password would be reduced (between UA creation and first successful authentication).

CONS: rare use case in which the server requires a late authentication with a new realm... In that case the auth would just fail, but we can live with it IMHO. Thoughts?

@murillo128
Copy link

My two cents, in some weird cases, authentication info could be different than sip info, maybe something like this is could be useful:

let ua = new JsSIP.UA({
    username: '[email protected]',
    auth: {
             username: 'alice',
             realm: 'foo.com',
             ha1Password: 'iwudkasjhdk234asd'
   }
});

@ibc
Copy link
Member Author

ibc commented Jan 15, 2016

There is already a authorization_user param for that case.

Regarding parameters grouping, I like it, but better leave it for a new 0.8.x milestone so we don't break the current API and can add the feature exposed here in the current 0.7.x set of releases.

@saghul
Copy link
Contributor

saghul commented Jan 15, 2016

OK, so in practice we would want a new realm configuration param that would just be used when ha1Password is also provided, agreed?

let ua = new JsSIP.UA({
uri: 'sip:[email protected]',
password: '1234fuckmeeasy'
});

and:

let ua = new JsSIP.UA({
uri: 'sip:[email protected]',
real: 'asterisk', // optional, if not set defaults to "atlanta.com"
ha1Password: 'iwudkasjhdk234asd'
});

Assuming you mean "realm" 👍

@ibc
Copy link
Member Author

ibc commented Jan 15, 2016

Kill me.

@ibc ibc closed this as completed in e50debc Feb 5, 2016
@ibc
Copy link
Member Author

ibc commented Feb 5, 2016

Done in master. Also note that, with this new feature and even if no ha1 & realm are given, JsSIP deletes the given plain SIP password from memory and, instead, stores the generated and validated ha1 among with the resulting realm.

UA class also exposes new methods (configuration setters and getters):

  • ua.get(property): property can be realm / ha1 (useful for the app to store them in local storage and don't ask the user for the plain SIP password anymore).
  • ua.set(property, value): property can be password / realm / ha1.

@jmillan
Copy link
Member

jmillan commented Feb 5, 2016

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

4 participants