[aerogear-dev] HTTP_Basic: SimplePush (Channel) Registration

Matthias Wessendorf matzew at apache.org
Thu Jun 20 11:28:15 EDT 2013 

On Thu, Jun 20, 2013 at 5:21 PM, Kris Borchers <kris at redhat.com> wrote:

> If it's just to meet the new requirement of the server, that's fine.
>

somewhat, yeah


> As long as we are aware that there is no security gain from this in JS
> land and that we make our users aware of this as well.
>

Currently the endpoint for device registration is "somewhat" secured. Of
course JS is odd here.... but even if one knows the variantID and password,
he could not mess around with the Android/iOS variants (they have other
ID/secrets).


Perhaps... for SimplePush we can just have a "100% unsecured" endpoint?
(instead of doing BASIC with (variantID:secret).


Question: Is it possible... to check with a SimplePush server if a
"channelID" is valid (for the simple-push server) ?
So that we can check that channelID "foo" does NOT exist on the
SimplePushServer, so we ignore the "registration attempt"


Regarding variantID:secret, I guess not even something like "CryptoJS" can
help much here... since it has to parse the "input"


-Matthias









>
> On Jun 20, 2013, at 10:18 AM, Kris Borchers <kris at redhat.com> wrote:
>
> So I'm trying to figure out what we gain from this … now instead of
> putting your variantID in the JS, you are putting the variantID and a
> secret in the JS. I don't see any security gain here so trying to figure
> out what we gain.
>
> On Jun 20, 2013, at 10:12 AM, Matthias Wessendorf <matzew at apache.org>
> wrote:
>
> Hi,
>
> with the use of this helper <https://github.com/davidchambers/Base64.js>,
> it is "safe" (I think) to use the window.btoa function(see details<https://developer.mozilla.org/en-US/docs/Web/API/window.btoa>),
> to perform a (simple) Base64 encoding.
>
> Base64 encoding is required, since the "Device Registration" HTTP REST
> endpoint now uses HTTP_Basic (for details see the matching thread<http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html>
> ).
>
> Currently we perform this code for "channel registration":
>
> $.ajax({
>   contentType: "application/json",
>   dataType: "json",
>   type: "POST",
>   url: url,
>   headers: {
>     "ag-mobile-variant": variantID
>   },
>   data: JSON.stringify({
>     category: messageType,
>     deviceToken: endpoint.channelID,
>     clientIdentifier: alias
>   })
> });
>
> As mentioned on the "Security thread", the variantID is no longer a
> header, it is part of the HTTP_Basic auth process.
>
> This is a (local) JavaScript change that I did. It works fine so far:
>
> $.ajax({
>   contentType: "application/json",
>   dataType: "json",
>   type: "POST",
>   crossDomain: true,
>   url: url,
>   headers: {
>     "Authorization": "Basic " + window.btoa(variantID + ":" + secret)
>   },
>   data: JSON.stringify({
>     category: messageType,
>     deviceToken: endpoint.channelID,
>     alias: alias     ///// NOTE:: the key has changed..........
>   })
> });
>
> The important thing: we add the "Authorization": "Basic " header and
> using the mentionedwindow.btoa() function for the actual encoding.
>
> The same applies for the DELETE (unregistration).
>
> Any thoughts? Otherwise, I'd send a PR.
>
> Ah.... the dependency agains the Base64.js polyfill library would/should
> be included in our "grunt" build for "distribution", or would it be "just"
> declared (yeah, that's details but asking for curiousity)
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130620/042b9171/attachment.html

More information about the aerogear-dev mailing list