[aerogear-dev] HTTP_Basic: SimplePush (Channel) Registration

Matthias Wessendorf matzew at apache.org
Thu Jun 20 11:32:33 EDT 2013 

On Thu, Jun 20, 2013 at 5:25 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Don't feel safe because you're doing something with Base64 or using
> basic authentication.


yep, I know :) said "somewhat" secured :)


> It doesn't guarantee safety, the HTTP Basic
> Authentication scheme is not considered a secure method without TLS/SSL,
> because username and password are passed over the network in cleartext.
>

yep, I know - not hard to "read" the values behind the Base64 string.
But I have never seen Basic w/o SSL :) But... not saying that some may do
it :)


>
> For this reason we will replace it with Digest or Hawk into the near
> future.
>

that sound great !!! :))


>
> Matthias Wessendorf wrote:
> > Hi,
> >
> > with the use of this helper
> > <https://github.com/davidchambers/Base64.js>, it is "safe" (I think) to
> > use the |window.btoa| function(see details
> > <https://developer.mozilla.org/en-US/docs/Web/API/window.btoa>), to
> > perform a (simple) Base64 encoding.
> >
> > Base64 encoding is required, since the "Device Registration" HTTP REST
> > endpoint now uses HTTP_Basic (for details see the matching thread
> > <http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html>).
> >
> > Currently we perform this code for "channel registration":
> >
> > |$.ajax({
> >    contentType:"application/json",
> >    dataType:"json",
> >    type:"POST",
> >    url: url,
> >    headers: {
> >      "ag-mobile-variant": variantID
> >    },
> >    data: JSON.stringify({
> >      category: messageType,
> >      deviceToken: endpoint.channelID,
> >      clientIdentifier: alias
> >    })
> > });
> > |
> >
> > As mentioned on the "Security thread", the |variantID| is no longer a
> > header, it is part of the HTTP_Basic auth process.
> >
> > This is a (local) JavaScript change that I did. It works fine so far:
> >
> > |$.ajax({
> >    contentType:"application/json",
> >    dataType:"json",
> >    type:"POST",
> >    crossDomain: true,
> >    url: url,
> >    headers: {
> >      "Authorization":"Basic"  + window.btoa(variantID +":"  + secret)
> >    },
> >    data: JSON.stringify({
> >      category: messageType,
> >      deviceToken: endpoint.channelID,
> >      alias: alias     ///// NOTE:: the key has changed..........
> >    })
> > });
> > |
> >
> > The important thing: we add the |"Authorization": "Basic "| header and
> > using the mentioned|window.btoa()| function for the actual encoding.
> >
> > The same applies for the |DELETE| (unregistration).
> >
> > Any thoughts? Otherwise, I'd send a PR.
> >
> > Ah.... the dependency agains the |Base64.js| polyfill library
> > would/should be included in our "grunt" build for "distribution", or
> > would it be "just" declared (yeah, that's details but asking for
> curiousity)
> >
> >
> > --
> > Matthias Wessendorf
> >
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> --
> abstractj
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130620/bdf4b8c1/attachment-0001.html

More information about the aerogear-dev mailing list