<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 5:21 PM, Kris Borchers <span dir="ltr"><<a href="mailto:kris@redhat.com" target="_blank">kris@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">If it's just to meet the new requirement of the server, that's fine.</div></blockquote>
<div><br></div><div style>somewhat, yeah</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">As long as we are aware that there is no security gain from this in JS land and that we make our users aware of this as well.</div>
</blockquote><div><br></div><div style>Currently the endpoint for device registration is "somewhat" secured. Of course JS is odd here.... but even if one knows the variantID and password,</div><div style>he could not mess around with the Android/iOS variants (they have other ID/secrets).</div>
<div style><br></div><div><br></div><div style>Perhaps... for SimplePush we can just have a "100% unsecured" endpoint? (instead of doing BASIC with (variantID:secret).</div><div style><br></div><div style><br></div>
<div style>Question: Is it possible... to check with a SimplePush server if a "channelID" is valid (for the simple-push server) ?</div><div style>So that we can check that channelID "foo" does NOT exist on the SimplePushServer, so we ignore the "registration attempt"<br>
</div><div style><br></div><div style><br></div><div style>Regarding variantID:secret, I guess not even something like "CryptoJS" can help much here... since it has to parse the "input"</div><div style>
<br></div><div style><br></div><div style>-Matthias</div><div style><br></div><div style><br></div><div style><br></div><div style><br></div><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><div class="h5"><div><br><div><div>On Jun 20, 2013, at 10:18 AM, Kris Borchers <<a href="mailto:kris@redhat.com" target="_blank">kris@redhat.com</a>> wrote:</div><br><blockquote type="cite">
<div style="word-wrap:break-word">So I'm trying to figure out what we gain from this … now instead of putting your variantID in the JS, you are putting the variantID and a secret in the JS. I don't see any security gain here so trying to figure out what we gain.<div>
<br><div><div>On Jun 20, 2013, at 10:12 AM, Matthias Wessendorf <<a href="mailto:matzew@apache.org" target="_blank">matzew@apache.org</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr"><p style="margin-right:0px;margin-bottom:15px;margin-left:0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-top:0px!important">
Hi,</p><p style="margin-right:0px;margin-bottom:15px;margin-left:0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-top:0px!important">
with the use of <a href="https://github.com/davidchambers/Base64.js" style="color:rgb(65,131,196);text-decoration:none" target="_blank">this helper</a>, it is "safe" (I think) to use the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">window.btoa</code> function(<a href="https://developer.mozilla.org/en-US/docs/Web/API/window.btoa" style="color:rgb(65,131,196);text-decoration:none" target="_blank">see details</a>), to perform a (simple) Base64 encoding.</p>
<p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Base64 encoding is required, since the "Device Registration" HTTP REST endpoint now uses HTTP_Basic (for details see the <a href="http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html" style="color:rgb(65,131,196);text-decoration:none" target="_blank">matching thread</a>).</p>
<p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Currently we perform this code for "channel registration":</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">
<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">$.ajax({
contentType: "application/json",
dataType: "json",
type: "POST",
url: url,
headers: {
"ag-mobile-variant": variantID
},
data: JSON.stringify({
category: messageType,
deviceToken: endpoint.channelID,
clientIdentifier: alias
})
});
</code></pre><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">As mentioned on the "Security thread", the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">variantID</code> is no longer a header, it is part of the HTTP_Basic auth process.</p>
<p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">This is a (local) JavaScript change that I did. It works fine so far:</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:13px;line-height:19px;margin-top:15px;margin-bottom:15px;background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">
<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">$.ajax({
contentType: "application/json",
dataType: "json",
type: "POST",
crossDomain: true,
url: url,
headers: {
"Authorization": "Basic " + window.btoa(variantID + ":" + secret)
},
data: JSON.stringify({
category: messageType,
deviceToken: endpoint.channelID,
alias: alias ///// NOTE:: the key has changed..........
})
});
</code></pre><p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">The important thing: we add the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">"Authorization": "Basic "</code> header and using the mentioned<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">window.btoa()</code> function for the actual encoding.</p>
<p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">The same applies for the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">DELETE</code> (unregistration).</p>
<p style="margin:15px 0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px">Any thoughts? Otherwise, I'd send a PR.</p><p style="margin-top:15px;margin-right:0px;margin-left:0px;font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.454545021057129px;line-height:22.727272033691406px;margin-bottom:0px!important">
Ah.... the dependency agains the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Base64.js</code> polyfill library would/should be included in our "grunt" build for "distribution", or would it be "just" declared (yeah, that's details but asking for curiousity)</p>
<div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div><br></div></div>_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div><br></div></div></div></div><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>