<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">If it's just to meet the new requirement of the server, that's fine. As long as we are aware that there is no security gain from this in JS land and that we make our users aware of this as well.<div><br><div><div>On Jun 20, 2013, at 10:18 AM, Kris Borchers <<a href="mailto:kris@redhat.com">kris@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">So I'm trying to figure out what we gain from this … now instead of putting your variantID in the JS, you are putting the variantID and a secret in the JS. I don't see any security gain here so trying to figure out what we gain.<div><br><div><div>On Jun 20, 2013, at 10:12 AM, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; margin-top: 0px !important; ">
Hi,</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; margin-top: 0px !important; ">
with the use of <a href="https://github.com/davidchambers/Base64.js" style="color:rgb(65,131,196);text-decoration:none">this helper</a>, it is "safe" (I think) to use the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">window.btoa</code> function(<a href="https://developer.mozilla.org/en-US/docs/Web/API/window.btoa" style="color:rgb(65,131,196);text-decoration:none">see details</a>), to perform a (simple) Base64 encoding.</p><p style="margin: 15px 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; ">Base64 encoding is required, since the "Device Registration" HTTP REST endpoint now uses HTTP_Basic (for details see the <a href="http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html" style="color:rgb(65,131,196);text-decoration:none">matching thread</a>).</p><p style="margin: 15px 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; ">Currently we perform this code for "channel registration":</p>
<pre style="font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 13px; line-height: 19px; margin-top: 15px; margin-bottom: 15px; background-color: rgb(248, 248, 248); border: 1px solid rgb(221, 221, 221); overflow: auto; padding: 6px 10px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; "><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">$.ajax({
contentType: "application/json",
dataType: "json",
type: "POST",
url: url,
headers: {
"ag-mobile-variant": variantID
},
data: JSON.stringify({
category: messageType,
deviceToken: endpoint.channelID,
clientIdentifier: alias
})
});
</code></pre><p style="margin: 15px 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; ">As mentioned on the "Security thread", the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">variantID</code> is no longer a header, it is part of the HTTP_Basic auth process.</p><p style="margin: 15px 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; ">This is a (local) JavaScript change that I did. It works fine so far:</p>
<pre style="font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 13px; line-height: 19px; margin-top: 15px; margin-bottom: 15px; background-color: rgb(248, 248, 248); border: 1px solid rgb(221, 221, 221); overflow: auto; padding: 6px 10px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; "><code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px;padding:0px;border:none;background-color:transparent;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px">$.ajax({
contentType: "application/json",
dataType: "json",
type: "POST",
crossDomain: true,
url: url,
headers: {
"Authorization": "Basic " + window.btoa(variantID + ":" + secret)
},
data: JSON.stringify({
category: messageType,
deviceToken: endpoint.channelID,
alias: alias ///// NOTE:: the key has changed..........
})
});
</code></pre><p style="margin: 15px 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; ">The important thing: we add the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">"Authorization": "Basic "</code> header and using the mentioned<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">window.btoa()</code> function for the actual encoding.</p><p style="margin: 15px 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; ">The same applies for the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">DELETE</code> (unregistration).</p><p style="margin: 15px 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; ">Any thoughts? Otherwise, I'd send a PR.</p><p style="margin-top: 15px; margin-right: 0px; margin-left: 0px; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.454545021057129px; line-height: 22.727272033691406px; margin-bottom: 0px !important; ">
Ah.... the dependency agains the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">Base64.js</code> polyfill library would/should be included in our "grunt" build for "distribution", or would it be "just" declared (yeah, that's details but asking for curiousity)</p>
<div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote></div><br></div></div>_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>https://lists.jboss.org/mailman/listinfo/aerogear-dev</blockquote></div><br></div></body></html>