<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 5:25 PM, Bruno Oliveira <span dir="ltr">&lt;<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Don&#39;t feel safe because you&#39;re doing something with Base64 or using<br>
basic authentication.</blockquote><div><br></div><div style>yep, I know :) said &quot;somewhat&quot; secured :)</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
 It doesn&#39;t guarantee safety, the HTTP Basic<br>
Authentication scheme is not considered a secure method without TLS/SSL,<br>
because username and password are passed over the network in cleartext.<br></blockquote><div><br></div><div style>yep, I know - not hard to &quot;read&quot; the values behind the Base64 string.</div><div style>But I have never seen Basic w/o SSL :) But... not saying that some may do it :) </div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
For this reason we will replace it with Digest or Hawk into the near future.<br></blockquote><div><br></div><div style>that sound great !!! :))</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div class="im"><br>
Matthias Wessendorf wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; with the use of this helper<br>
</div>&gt; &lt;<a href="https://github.com/davidchambers/Base64.js" target="_blank">https://github.com/davidchambers/Base64.js</a>&gt;, it is &quot;safe&quot; (I think) to<br>
<div class="im">&gt; use the |window.btoa| function(see details<br>
</div>&gt; &lt;<a href="https://developer.mozilla.org/en-US/docs/Web/API/window.btoa" target="_blank">https://developer.mozilla.org/en-US/docs/Web/API/window.btoa</a>&gt;), to<br>
<div class="im">&gt; perform a (simple) Base64 encoding.<br>
&gt;<br>
&gt; Base64 encoding is required, since the &quot;Device Registration&quot; HTTP REST<br>
&gt; endpoint now uses HTTP_Basic (for details see the matching thread<br>
</div>&gt; &lt;<a href="http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html" target="_blank">http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html</a>&gt;).<br>
<div><div class="h5">&gt;<br>
&gt; Currently we perform this code for &quot;channel registration&quot;:<br>
&gt;<br>
&gt; |$.ajax({<br>
&gt;    contentType:&quot;application/json&quot;,<br>
&gt;    dataType:&quot;json&quot;,<br>
&gt;    type:&quot;POST&quot;,<br>
&gt;    url: url,<br>
&gt;    headers: {<br>
&gt;      &quot;ag-mobile-variant&quot;: variantID<br>
&gt;    },<br>
&gt;    data: JSON.stringify({<br>
&gt;      category: messageType,<br>
&gt;      deviceToken: endpoint.channelID,<br>
&gt;      clientIdentifier: alias<br>
&gt;    })<br>
&gt; });<br>
&gt; |<br>
&gt;<br>
&gt; As mentioned on the &quot;Security thread&quot;, the |variantID| is no longer a<br>
&gt; header, it is part of the HTTP_Basic auth process.<br>
&gt;<br>
&gt; This is a (local) JavaScript change that I did. It works fine so far:<br>
&gt;<br>
&gt; |$.ajax({<br>
&gt;    contentType:&quot;application/json&quot;,<br>
&gt;    dataType:&quot;json&quot;,<br>
&gt;    type:&quot;POST&quot;,<br>
&gt;    crossDomain: true,<br>
&gt;    url: url,<br>
&gt;    headers: {<br>
&gt;      &quot;Authorization&quot;:&quot;Basic&quot;  + window.btoa(variantID +&quot;:&quot;  + secret)<br>
&gt;    },<br>
&gt;    data: JSON.stringify({<br>
&gt;      category: messageType,<br>
&gt;      deviceToken: endpoint.channelID,<br>
&gt;      alias: alias     ///// NOTE:: the key has changed..........<br>
&gt;    })<br>
&gt; });<br>
&gt; |<br>
&gt;<br>
&gt; The important thing: we add the |&quot;Authorization&quot;: &quot;Basic &quot;| header and<br>
</div></div>&gt; using the mentioned|window.btoa()| function for the actual encoding.<br>
<div class="im HOEnZb">&gt;<br>
&gt; The same applies for the |DELETE| (unregistration).<br>
&gt;<br>
&gt; Any thoughts? Otherwise, I&#39;d send a PR.<br>
&gt;<br>
&gt; Ah.... the dependency agains the |Base64.js| polyfill library<br>
&gt; would/should be included in our &quot;grunt&quot; build for &quot;distribution&quot;, or<br>
&gt; would it be &quot;just&quot; declared (yeah, that&#39;s details but asking for curiousity)<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Matthias Wessendorf<br>
&gt;<br>
&gt; blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
&gt; sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
&gt; twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
&gt;<br>
</div><div class="im HOEnZb">&gt; _______________________________________________<br>
&gt; aerogear-dev mailing list<br>
&gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
</div><span class="HOEnZb"><font color="#888888">--<br>
abstractj<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>