Hans Karlsen (talk | contribs) m (Hans moved page Logging in with code to Log in with code: Confused spelling) |
(Adding page to Category:TOC because it contains a TOC.) |
||
(13 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
=== A new (2023) way to log in with logic rather than having the user type in a pwd === | |||
Among the use cases: | |||
* You have an app - and you want to make sure that the app logs in for the user - so that you don't need to nag the user | |||
* You send a magic link to a user to enable the user to have access - maybe to work around a lost pwd | |||
* You have technical actors and you want to be able to give them a way to login - but at the same time have a way to stop them if you change your mind | |||
Use a JWT (Json web token). A JWT is like a passport that says "I am <ThisUser>", and like all passports, it has a start and end date. The JWT passport also has a crypto way to ensure that the passport was created by a trusted party - and not messed with by anyone else. This trusted party can easily be you (but does not have to be). All this is explained in this video: https://youtu.be/lKE2Heyc8h0 | |||
=== Below is the functioning old way to login with code === | |||
Turnkey uses MVC for the login form. This form makes use of the __RequestVerificationToken that helps MVC avoid attacks when an old posted form is used again. | |||
The easiest way to get a valid RequestVerificationToken is to screen scrape it from the login page. | You will need to supply a valid RequestVerificationToken when logging in from the code. The easiest way to get a valid RequestVerificationToken is to screen-scrape it from the login page. | ||
The code below | The code below downloads the Login page and finds the RequestVerificationToken. | ||
Then the code | Then the code makes a post with the needed parameters for login including the screen scraped __RequestVerificationToken. | ||
private void Button_Click_1(object sender, RoutedEventArgs e) | private void Button_Click_1(object sender, RoutedEventArgs e) | ||
Line 30: | Line 36: | ||
} | } | ||
} | } | ||
=== Rest Authentication === | |||
===== Turnkey is the Rest Service Host ===== | |||
When we expose Rest Services, we check for the common basic authentication in the "Authentication" header of the request. The standard says that you can send "basic user:pwd" where user user:pwd is base64 coded. If we find this, we unpack and resolve it against the SysUser. | |||
Also, see this: [[Authenticate_with_a_jwt]] | |||
===== Send to Rest service via selfVM.RestGet ===== | |||
When you use the selfVM.[[Rest Services In MDriven|RestGet]] etc methods, you can supply a user and pwd. If set, we will add these as a basic auth header for simplicity. This makes it very easy to communicate securely between Turnkey apps and with most other available rest implementations. | |||
If your user is "Bearer" (case insensitive), we assume that the pwd is a bearer token and send an "Authentication" header with a "Bearer token" (Bearer case as you gave since services might be picky about this). | |||
You may sign the request with a client certificate: [[Sign_client_rest_request_with_certificate]]. | |||
[[Category:MDriven Turnkey]] | |||
[[Category:MVC]] | |||
{{Edited|July|12|2024}} | |||
[[Category:TOC]] |
Latest revision as of 13:47, 26 March 2024
A new (2023) way to log in with logic rather than having the user type in a pwd
Among the use cases:
- You have an app - and you want to make sure that the app logs in for the user - so that you don't need to nag the user
- You send a magic link to a user to enable the user to have access - maybe to work around a lost pwd
- You have technical actors and you want to be able to give them a way to login - but at the same time have a way to stop them if you change your mind
Use a JWT (Json web token). A JWT is like a passport that says "I am <ThisUser>", and like all passports, it has a start and end date. The JWT passport also has a crypto way to ensure that the passport was created by a trusted party - and not messed with by anyone else. This trusted party can easily be you (but does not have to be). All this is explained in this video: https://youtu.be/lKE2Heyc8h0
Below is the functioning old way to login with code
Turnkey uses MVC for the login form. This form makes use of the __RequestVerificationToken that helps MVC avoid attacks when an old posted form is used again.
You will need to supply a valid RequestVerificationToken when logging in from the code. The easiest way to get a valid RequestVerificationToken is to screen-scrape it from the login page.
The code below downloads the Login page and finds the RequestVerificationToken.
Then the code makes a post with the needed parameters for login including the screen scraped __RequestVerificationToken.
private void Button_Click_1(object sender, RoutedEventArgs e) { var client = new HttpClient(); var loginform = client.GetAsync("https://raptor3ny/TurnkeyWebAppGeneric/Account/Login").Result; var loginformcontent = loginform.Content.ReadAsStringAsync().Result; var part1=loginformcontent.Substring(loginformcontent.IndexOf("<input name=\"__RequestVerificationToken\""), 1000); part1 = part1.Substring(part1.IndexOf("value=")); part1 = part1.Substring(part1.IndexOf('"') + 1); part1 = part1.Substring(0,part1.IndexOf('"')); var content = new MultipartFormDataContent(); content.Add(new StringContent("hans@karlsen.se"), "EMail"); content.Add(new StringContent("123456"), "Password"); content.Add(new StringContent("false"), "RememberMe"); content.Add(new StringContent(part1), "__RequestVerificationToken"); var result = client.PostAsync("https://raptor3ny/TurnkeyWebAppGeneric/Account/Login", content).Result; if (result.StatusCode == System.Net.HttpStatusCode.OK) { // Login successfull } }
Rest Authentication
Turnkey is the Rest Service Host
When we expose Rest Services, we check for the common basic authentication in the "Authentication" header of the request. The standard says that you can send "basic user:pwd" where user user:pwd is base64 coded. If we find this, we unpack and resolve it against the SysUser.
Also, see this: Authenticate_with_a_jwt
Send to Rest service via selfVM.RestGet
When you use the selfVM.RestGet etc methods, you can supply a user and pwd. If set, we will add these as a basic auth header for simplicity. This makes it very easy to communicate securely between Turnkey apps and with most other available rest implementations.
If your user is "Bearer" (case insensitive), we assume that the pwd is a bearer token and send an "Authentication" header with a "Bearer token" (Bearer case as you gave since services might be picky about this).
You may sign the request with a client certificate: Sign_client_rest_request_with_certificate.