Re: [aerogear-dev] HTTP_Basic: SimplePush (Channel) Registration
Don't feel safe because you're doing something with Base64 or using
basic authentication. It doesn't guarantee safety, the HTTP Basic
Authentication scheme is not considered a secure method without TLS/SSL,
because username and password are passed over the network in cleartext.
For this reason we will replace it with Digest or Hawk into the near future.
Matthias Wessendorf wrote:
Hi,
with the use of this helper
<https://github.com/davidchambers/Base64.js>;, it is "safe" (I think) to
use the |window.btoa| function(see details
<https://developer.mozilla.org/en-US/docs/Web/API/window.btoa>), to
perform a (simple) Base64 encoding.
Base64 encoding is required, since the "Device Registration" HTTP REST
endpoint now uses HTTP_Basic (for details see the matching thread
<http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html>).
Currently we perform this code for "channel registration":
|$.ajax({
contentType:"application/json",
dataType:"json",
type:"POST",
url: url,
headers: {
"ag-mobile-variant": variantID
},
data: JSON.stringify({
category: messageType,
deviceToken: endpoint.channelID,
clientIdentifier: alias
})
});
|
As mentioned on the "Security thread", the |variantID| is no longer a
header, it is part of the HTTP_Basic auth process.
This is a (local) JavaScript change that I did. It works fine so far:
|$.ajax({
contentType:"application/json",
dataType:"json",
type:"POST",
crossDomain: true,
url: url,
headers: {
"Authorization":"Basic" + window.btoa(variantID +":"
+ secret)
},
data: JSON.stringify({
category: messageType,
deviceToken: endpoint.channelID,
alias: alias ///// NOTE:: the key has changed..........
})
});
|
The important thing: we add the |"Authorization": "Basic "| header
and
using the mentioned|window.btoa()| function for the actual encoding.
The same applies for the |DELETE| (unregistration).
Any thoughts? Otherwise, I'd send a PR.
Ah.... the dependency agains the |Base64.js| polyfill library
would/should be included in our "grunt" build for "distribution", or
would it be "just" declared (yeah, that's details but asking for
curiousity)
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj