[aerogear-dev] HTTP_Basic: SimplePush (Channel) Registration

Kris Borchers kris at redhat.com
Thu Jun 20 11:32:59 EDT 2013


On Jun 20, 2013, at 10:28 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Just one addition http://tools.ietf.org/html/rfc2617#section-4

Right … even on the iOS and Android side of things, it is still very easy to "decrypt" a base64 encoded string. Using HTTPS would help but that is not foolproof either so we may want to think of some other method.
> 
> Bruno Oliveira wrote:
>> Don't feel safe because you're doing something with Base64 or using
>> basic authentication. It doesn't guarantee safety, the HTTP Basic
>> Authentication scheme is not considered a secure method without TLS/SSL,
>> because username and password are passed over the network in cleartext.
>> 
>> For this reason we will replace it with Digest or Hawk into the near
>> future.
>> 
>> Matthias Wessendorf wrote:
>>> Hi,
>>> 
>>> with the use of this helper
>>> <https://github.com/davidchambers/Base64.js>, it is "safe" (I think) to
>>> use the |window.btoa| function(see details
>>> <https://developer.mozilla.org/en-US/docs/Web/API/window.btoa>), to
>>> perform a (simple) Base64 encoding.
>>> 
>>> Base64 encoding is required, since the "Device Registration" HTTP REST
>>> endpoint now uses HTTP_Basic (for details see the matching thread
>>> <http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html>).
>>> 
>>> Currently we perform this code for "channel registration":
>>> 
>>> |$.ajax({
>>> contentType:"application/json",
>>> dataType:"json",
>>> type:"POST",
>>> url: url,
>>> headers: {
>>> "ag-mobile-variant": variantID
>>> },
>>> data: JSON.stringify({
>>> category: messageType,
>>> deviceToken: endpoint.channelID,
>>> clientIdentifier: alias
>>> })
>>> });
>>> |
>>> 
>>> As mentioned on the "Security thread", the |variantID| is no longer a
>>> header, it is part of the HTTP_Basic auth process.
>>> 
>>> This is a (local) JavaScript change that I did. It works fine so far:
>>> 
>>> |$.ajax({
>>> contentType:"application/json",
>>> dataType:"json",
>>> type:"POST",
>>> crossDomain: true,
>>> url: url,
>>> headers: {
>>> "Authorization":"Basic" + window.btoa(variantID +":" + secret)
>>> },
>>> data: JSON.stringify({
>>> category: messageType,
>>> deviceToken: endpoint.channelID,
>>> alias: alias ///// NOTE:: the key has changed..........
>>> })
>>> });
>>> |
>>> 
>>> The important thing: we add the |"Authorization": "Basic "| header and
>>> using the mentioned|window.btoa()| function for the actual encoding.
>>> 
>>> The same applies for the |DELETE| (unregistration).
>>> 
>>> Any thoughts? Otherwise, I'd send a PR.
>>> 
>>> Ah.... the dependency agains the |Base64.js| polyfill library
>>> would/should be included in our "grunt" build for "distribution", or
>>> would it be "just" declared (yeah, that's details but asking for
>>> curiousity)
>>> 
>>> 
>>> --
>>> Matthias Wessendorf
>>> 
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>> 
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>> 
> 
> -- 
> abstractj
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev




More information about the aerogear-dev mailing list