Pure HTTP client authentication?

[ecorm]

Is it possible for a pure HTTP REST client (that uses Crossbar's HTTP bridge feature) to authenticate on Crossbar without having to first connect via Websocket to obtain the authentication cookie?

All I could find in the docs (now only available via RST files in the repo) is the following under Cookie-Authentication.rst:

Note that to use cookie-based authentication you have to activate cookie-tracking and at least one non-cookie based authentication method.

As a workaround, I was thinking that the web app could provide a special com.myapp.login RPC accessible without authentication via an HTTP bridge. But I don't see how an HTTP-only authentication cookie could be set by this RPC unless Crossbar recognizes that it's a special authentication RPC.

Full disclosure: I don't actually need this feature. I'm at the point in my CppWAMP router development where I want to implement a bare bones HTTP server for serving static files, and I'm thinking ahead about the possibility of adding a REST interface similar to Crossbar's HTTP bridge feature.

[ecorm]

Found this blog post about securely storing JWTs, and I think it could be applied to my proposed com.myapp.login RPC workaround: https://mannharleen.github.io/2020-03-19-handling-jwt-securely-part-1/

Edit: The in-memory JWT storage scheme proposed in that blog wouldn't work, because Crossbar is expecting the authentication token in the HTTP Cookie header, and not in the HTTP Authorization header. The browser would have to manually set the authentication token as a cookie after receiving it from the com.myapp.login RPC. This makes the token vulnerable to XSS and CSRF attacks.

[oberstet]

Hi @ecorm, sorry for sluggish response .. I missed that.

authentication of REST bridge: no, that's not there, pls see #1205

---

independent of authentication of HTTP requests to the bridge, what is there is signed bridge requests. pls see

https://github.com/crossbario/crossbar-examples/blob/aa31d9fe3abcb4b797931356b5a2ceeac64229c3/rest/publisher/.crossbar/config.json#L57

https://github.com/crossbario/crossbar-examples/blob/aa31d9fe3abcb4b797931356b5a2ceeac64229c3/rest/caller/.crossbar/config.json#L61

crossbar/crossbar/bridge/rest/common.py

Line 116 in 03d7057

if 'secret' in options:

crossbar/crossbar/bridge/rest/common.py

Line 455 in 03d7057

# FIXME: authorize request

---

"all" REST bridge examples are:

(cpy311_7) oberstet@intel-nuci7:~/scm/crossbario/crossbar$ find ../crossbar-examples/ -name "*.json" -exec grep -Hi '"type": "caller"' {} \;
../crossbar-examples/rest/caller_performance/.crossbar/config_multi_worker.json:                            "type": "caller",
../crossbar-examples/rest/caller_performance/.crossbar/config.json:                            "type": "caller",
../crossbar-examples/rest/callee/.crossbar/config.json:                            "type": "caller",
../crossbar-examples/rest/caller/.crossbar/config.json:                            "type": "caller",
../crossbar-examples/rest/caller/.crossbar/config.json:                            "type": "caller",
../crossbar-examples/iotcookbook/app/weights/wpadlab/.crossbar/config.json:                            "type": "caller",
../crossbar-examples/proxy/.crossbar/config6.json:                            "type": "caller",
../crossbar-examples/proxy/.crossbar/config6.json:                            "type": "caller",
../crossbar-examples/proxy/.crossbar/config7.json:                            "type": "caller",
../crossbar-examples/proxy/.crossbar/config7.json:                            "type": "caller",
../crossbar-examples/proxy/.crossbar/config5.json:                            "type": "caller",
../crossbar-examples/proxy/.crossbar/config5.json:                            "type": "caller",
../crossbar-examples/database/postgresql/caller/.crossbar/config.json:                            "type": "caller",
(cpy311_7) oberstet@intel-nuci7:~/scm/crossbario/crossbar$ find ../crossbar-examples/ -name "*.json" -exec grep -Hi '"type": "publisher"' {} \;
../crossbar-examples/rest/subscriber/.crossbar/config.json:                            "type": "publisher",
../crossbar-examples/rest/publisher_tls/.crossbar/config.json:                            "type": "publisher",
../crossbar-examples/rest/publisher_tls/.crossbar/config.json:                            "type": "publisher",
../crossbar-examples/rest/publisher/.crossbar/config.json:                            "type": "publisher",
../crossbar-examples/rest/publisher/.crossbar/config.json:                            "type": "publisher",
../crossbar-examples/django/realtimemonitor/.crossbar/config.json:                            "type": "publisher",
(cpy311_7) oberstet@intel-nuci7:~/scm/crossbario/crossbar$ 

---

one last thing if I may kindly ask: could you verify/ack that what I wrote in 2. in the following comment is really correct rgd the spec?

#2089 (comment)

[ecorm]

Thanks for the info!