Log in with code
No edit summary
No edit summary
Line 1: Line 1:
Turnkey use MVC for the login form. This form make use of the __RequestVerificationToken that helps MVC avoid attacks where an old posted form is used again.
Turnkey uses MVC for the login form. This form makes use of the __RequestVerificationToken that helps MVC avoid attacks when an old posted form is used again.


You will need to supply a valid RequestVerificationToken when logging in from code.
You will need to supply a valid RequestVerificationToken when logging in from code.


The easiest way to get a valid RequestVerificationToken is to screen scrape it from the login page.
The easiest way to get a valid RequestVerificationToken is to screen-scrape it from the login page.


The code below download the Login page, finds the RequestVerificationToken.
The code below downloads the Login page and finds the RequestVerificationToken.


Then the code make a post with the needed parameters for login including the screen scraped __RequestVerificationToken
Then the code makes a post with the needed parameters for login including the screen scraped __RequestVerificationToken.


     private void Button_Click_1(object sender, RoutedEventArgs e)
     private void Button_Click_1(object sender, RoutedEventArgs e)
Line 31: Line 31:
     }
     }


=== Rest authentication ===
=== Rest Authentication ===


===== Turnkey is Rest service host =====
===== Turnkey is the Rest Service Host =====
When we expose Rest Services we now check for the common basic authentication in the "Authentication" header of the request. The standard says that you can send "basic user:pwd" where user user:pwd is base64 coded - if we find this we unpack and resolve against SysUser.
When we expose Rest Services, we check for the common basic authentication in the "Authentication" header of the request. The standard says that you can send "basic user:pwd" where user user:pwd is base64 coded. If we find this, we unpack and resolve it against the SysUser.


Also see this [[Authenticate_with_a_jwt]]  
Also, see this: [[Authenticate_with_a_jwt]]  


===== You send to Rest service via selfVM.RestGet =====
===== You Send to Rest service via selfVM.RestGet =====
When you use the selfVM.[[Rest Services In MDriven|RestGet]] etc methods you can supply a user and pwd and if set we will add these as a basic auth header for simplicity. This makes it very easy to communicate securely between turnkey apps - but also with most other available rest-implementations.
When you use the selfVM.[[Rest Services In MDriven|RestGet]] etc methods, you can supply a user and pwd. If set, we will add these as a basic auth header for simplicity. This makes it very easy to communicate securely between Turnkey apps and with most other available rest implementations.


If your user is "Bearer" (case insensitive) - we assume that the pwd is a bearer token and we send "Authentication" header with "Bearer token" (Bearer case as you gave since services might be picky about this).
If your user is "Bearer" (case insensitive), we assume that the pwd is a bearer token and send an "Authentication" header with a "Bearer token" (Bearer case as you gave since services might be picky about this).


You may sign the request with a client certificate : [[Sign_client_rest_request_with_certificate]].
You may sign the request with a client certificate: [[Sign_client_rest_request_with_certificate]].
[[Category:MDriven Turnkey]]
[[Category:MDriven Turnkey]]
[[Category:MVC]]
[[Category:MVC]]

Revision as of 07:57, 14 February 2023

Turnkey uses MVC for the login form. This form makes use of the __RequestVerificationToken that helps MVC avoid attacks when an old posted form is used again.

You will need to supply a valid RequestVerificationToken when logging in from code.

The easiest way to get a valid RequestVerificationToken is to screen-scrape it from the login page.

The code below downloads the Login page and finds the RequestVerificationToken.

Then the code makes a post with the needed parameters for login including the screen scraped __RequestVerificationToken.

   private void Button_Click_1(object sender, RoutedEventArgs e)
   {
     var client = new HttpClient();
     var loginform = client.GetAsync("https://raptor3ny/TurnkeyWebAppGeneric/Account/Login").Result;
     var loginformcontent = loginform.Content.ReadAsStringAsync().Result;
     var part1=loginformcontent.Substring(loginformcontent.IndexOf("<input name=\"__RequestVerificationToken\""), 1000);
     part1 = part1.Substring(part1.IndexOf("value="));
     part1 = part1.Substring(part1.IndexOf('"') + 1);
     part1 = part1.Substring(0,part1.IndexOf('"'));
  
     var content = new MultipartFormDataContent();
     content.Add(new StringContent("hans@karlsen.se"), "EMail");
     content.Add(new StringContent("123456"), "Password");
     content.Add(new StringContent("false"), "RememberMe");
     content.Add(new StringContent(part1), "__RequestVerificationToken");
     var result = client.PostAsync("https://raptor3ny/TurnkeyWebAppGeneric/Account/Login", content).Result;
     if (result.StatusCode == System.Net.HttpStatusCode.OK)
     { 
       // Login successfull
     }
   }

Rest Authentication

Turnkey is the Rest Service Host

When we expose Rest Services, we check for the common basic authentication in the "Authentication" header of the request. The standard says that you can send "basic user:pwd" where user user:pwd is base64 coded. If we find this, we unpack and resolve it against the SysUser.

Also, see this: Authenticate_with_a_jwt

You Send to Rest service via selfVM.RestGet

When you use the selfVM.RestGet etc methods, you can supply a user and pwd. If set, we will add these as a basic auth header for simplicity. This makes it very easy to communicate securely between Turnkey apps and with most other available rest implementations.

If your user is "Bearer" (case insensitive), we assume that the pwd is a bearer token and send an "Authentication" header with a "Bearer token" (Bearer case as you gave since services might be picky about this).

You may sign the request with a client certificate: Sign_client_rest_request_with_certificate.

This page was edited more than 9 months ago on 03/26/2024. What links here