10:32 a.m.
On Thu, Jun 20, 2013 at 5:25 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Don't feel safe because you're doing something with Base64 or
using
basic authentication.
yep, I know :) said "somewhat" secured :)
It doesn't guarantee safety, the HTTP Basic
Authentication scheme is not considered a secure method without TLS/SSL,
because username and password are passed over the network in cleartext.
yep, I know - not hard to "read" the values behind the Base64 string.
But I have never seen Basic w/o SSL :) But... not saying that some may do
it :)
For this reason we will replace it with Digest or Hawk into the near
future.
that sound great !!! :))
Matthias Wessendorf wrote:
> Hi,
>
> with the use of this helper
> <https://github.com/davidchambers/Base64.js>;, it is "safe" (I think)
to
> use the |window.btoa| function(see details
> <https://developer.mozilla.org/en-US/docs/Web/API/window.btoa>), to
> perform a (simple) Base64 encoding.
>
> Base64 encoding is required, since the "Device Registration" HTTP REST
> endpoint now uses HTTP_Basic (for details see the matching thread
> <http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html>).
>
> Currently we perform this code for "channel registration":
>
> |$.ajax({
> contentType:"application/json",
> dataType:"json",
> type:"POST",
> url: url,
> headers: {
> "ag-mobile-variant": variantID
> },
> data: JSON.stringify({
> category: messageType,
> deviceToken: endpoint.channelID,
> clientIdentifier: alias
> })
> });
> |
>
> As mentioned on the "Security thread", the |variantID| is no longer a
> header, it is part of the HTTP_Basic auth process.
>
> This is a (local) JavaScript change that I did. It works fine so far:
>
> |$.ajax({
> contentType:"application/json",
> dataType:"json",
> type:"POST",
> crossDomain: true,
> url: url,
> headers: {
> "Authorization":"Basic" + window.btoa(variantID
+":" + secret)
> },
> data: JSON.stringify({
> category: messageType,
> deviceToken: endpoint.channelID,
> alias: alias ///// NOTE:: the key has changed..........
> })
> });
> |
>
> The important thing: we add the |"Authorization": "Basic "|
header and
> using the mentioned|window.btoa()| function for the actual encoding.
>
> The same applies for the |DELETE| (unregistration).
>
> Any thoughts? Otherwise, I'd send a PR.
>
> Ah.... the dependency agains the |Base64.js| polyfill library
> would/should be included in our "grunt" build for
"distribution", or
> would it be "just" declared (yeah, that's details but asking for
curiousity)
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf