Security Token Authentication

Kevin B Posted in Component Development 4 years ago

Hi guys,
I'd like WebChat to make use of OSSNs Security Token system. I think i've implemented it - but just looking for some friendly advice / guidance.

My main page generates a new ossnts and ossntoken on each refresh.

I am passing this to my chat_api every time I make any requests.

chat_api is receiving it as input, and can output for confirmation.

I then run the following code at beginning of the chat_api page:

    $ossnts = input('ossn_ts');
    $ossntoken = input('ossn_token');
    if(empty($ossnts) || empty($ossntoken)){
        return false;
    }
    $generate = ossn_generate_action_token($ossnts);
    if (!$ossntoken == $generate) return false;

I'll probably send a redirect action back to the webchat if authentication fails (which I can emulate by removing the NOT !... which freezes the WebChat )

I think this is actually working! But i'm wondering if there is a better / recommended way to do it?

Thanks again chaps :)

Kev

Replies
gb Kevin B Replied 4 years ago

Oooh that sounds good, better than I've been doing. I'll add that to my to-do list thank you :)

Indonesian Arsalan Shah Replied 4 years ago

You can copy your chat_api into action folder and its functions in ossn_com.php file. Then you can use action file same as you are trying to use your chat api. However you'll need to add those token to URL, Ossn.PostRequest and Ossn.ajaxRquest does same thing. ajaxRequest is uses usually for forms on submit and PostRequests can be used for custom request sending.

These two functions take care of actions by default and treats all urls as action unless you add parameter to them action: false,

gb Kevin B Replied 4 years ago

I've run some tests and if I try to access the chat_api with a different ts or token, it deems it invalid and redirects you to the homepage / login. :)

I'm happy with how its working. When I update GitHub maybe you guys could take a look at what i've done and provide some feedback.

gb Kevin B Replied 4 years ago

I have chat_api.php which is called from the main WebChat page.

This uses the WebChat class which interacts with the database.

Chat_api has a number of functions (actions) which all work fine and all rely on the user being logged on.

The code above is literally just to ensure that the TS & Token received by the front page are valid before running any actions.

I believe this is already working fine (I'll test by changing the token I'm sending to make sure it fails).

To incorporate the method you've described, would I need to register every function (action) in the ossncom.php? And then view the chatapi as a form rather than a separate page?

Happy to update GitHub repo if you want to look at the code, I'm just trying to work out whether the amount of work involved would be beneficial if the method I've used works and validates the tokens properly?

German Michael Zülsdorff Replied 4 years ago

No source - no idea what you're trying to accomplish.

The general concept of Ossn is:
1. all critical stuff that would change the database must be handled inside an action
2. this action needs to be registered - otherwise calling would fail
3. the action registration has to take place either inside a if(ossn_isLoggedin()){ or if(ossn_isAdminLoggedin()){ block

The last step (combining a form to be submitted with an action to be performed) like

echo ossn_view_form('administrator/settings', array(
    'action' => ossn_site_url() . 'action/admin/bio/settings',
    'component' => 'bio',
    'params' => $params,
    'class' => 'ossn-admin-form'    
), false);

actually adds the security tokens automatically - there's nothing you would have to take any extra care about or add things manually.