<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 5:25 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Don't feel safe because you're doing something with Base64 or using<br>
basic authentication.</blockquote><div><br></div><div style>yep, I know :) said "somewhat" secured :)</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It doesn't guarantee safety, the HTTP Basic<br>
Authentication scheme is not considered a secure method without TLS/SSL,<br>
because username and password are passed over the network in cleartext.<br></blockquote><div><br></div><div style>yep, I know - not hard to "read" the values behind the Base64 string.</div><div style>But I have never seen Basic w/o SSL :) But... not saying that some may do it :) </div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
For this reason we will replace it with Digest or Hawk into the near future.<br></blockquote><div><br></div><div style>that sound great !!! :))</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"><br>
Matthias Wessendorf wrote:<br>
> Hi,<br>
><br>
> with the use of this helper<br>
</div>> <<a href="https://github.com/davidchambers/Base64.js" target="_blank">https://github.com/davidchambers/Base64.js</a>>, it is "safe" (I think) to<br>
<div class="im">> use the |window.btoa| function(see details<br>
</div>> <<a href="https://developer.mozilla.org/en-US/docs/Web/API/window.btoa" target="_blank">https://developer.mozilla.org/en-US/docs/Web/API/window.btoa</a>>), to<br>
<div class="im">> perform a (simple) Base64 encoding.<br>
><br>
> Base64 encoding is required, since the "Device Registration" HTTP REST<br>
> endpoint now uses HTTP_Basic (for details see the matching thread<br>
</div>> <<a href="http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html" target="_blank">http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html</a>>).<br>
<div><div class="h5">><br>
> Currently we perform this code for "channel registration":<br>
><br>
> |$.ajax({<br>
> contentType:"application/json",<br>
> dataType:"json",<br>
> type:"POST",<br>
> url: url,<br>
> headers: {<br>
> "ag-mobile-variant": variantID<br>
> },<br>
> data: JSON.stringify({<br>
> category: messageType,<br>
> deviceToken: endpoint.channelID,<br>
> clientIdentifier: alias<br>
> })<br>
> });<br>
> |<br>
><br>
> As mentioned on the "Security thread", the |variantID| is no longer a<br>
> header, it is part of the HTTP_Basic auth process.<br>
><br>
> This is a (local) JavaScript change that I did. It works fine so far:<br>
><br>
> |$.ajax({<br>
> contentType:"application/json",<br>
> dataType:"json",<br>
> type:"POST",<br>
> crossDomain: true,<br>
> url: url,<br>
> headers: {<br>
> "Authorization":"Basic" + window.btoa(variantID +":" + secret)<br>
> },<br>
> data: JSON.stringify({<br>
> category: messageType,<br>
> deviceToken: endpoint.channelID,<br>
> alias: alias ///// NOTE:: the key has changed..........<br>
> })<br>
> });<br>
> |<br>
><br>
> The important thing: we add the |"Authorization": "Basic "| header and<br>
</div></div>> using the mentioned|window.btoa()| function for the actual encoding.<br>
<div class="im HOEnZb">><br>
> The same applies for the |DELETE| (unregistration).<br>
><br>
> Any thoughts? Otherwise, I'd send a PR.<br>
><br>
> Ah.... the dependency agains the |Base64.js| polyfill library<br>
> would/should be included in our "grunt" build for "distribution", or<br>
> would it be "just" declared (yeah, that's details but asking for curiousity)<br>
><br>
><br>
> --<br>
> Matthias Wessendorf<br>
><br>
> blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
><br>
</div><div class="im HOEnZb">> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
</div><span class="HOEnZb"><font color="#888888">--<br>
abstractj<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>