Am I using JWT correctly?

Kabiri · 2025-03-17 07:41:06

Hello dear @AB

I have a function for generating JWT tokens, one for validating them, and another for revoking them.
I created a whitelist for URLs that don’t require authentication and a blacklist for tokens that haven’t expired but have been revoked.
In the `OnBeforeURI` event, if the URL is in the whitelist, I skip token validation and let the request proceed.
If the URL isn’t in the whitelist, I validate the token. If the token is valid and not in the blacklist, authentication is completed, and the corresponding method for that URL is executed.
I did all this because I couldn’t find an automatic solution for this in mORMot2.

I have two questions:
1. Is there no automatic solution for this, and do I have to handle it this way?
2. My problem is with URLs that have slight variations — for example, `api/Auth.Login` and `api/Auth/Login` are both valid. Is there a way to avoid adding multiple similar URLs to the whitelist?

Last edited by Kabiri (2025-03-17 07:47:56)

ab · 2025-03-17 18:24:12

Usually I use some " if IdemPChar() " in the OnBeforeUri to quickly check of the bearer.
Since most of the URIs are likely to be protected, it seems fair enough: only a few URI to check.
The idea is to be hardened/closed by default, and only allow the few needed unauthenticated URI.

For the blacklist of tokens, you may consider using our TBinaryCookieGenerator from mormot.crypt.secure, which maintains such a list, in a very efficient manner.
This TBinaryCookieGenerator class may be better than JWT in practice.

Kabiri · 2025-03-17 19:09:23

Thanks, I’ll try it.

ab · 2025-03-17 19:30:12

But you are right, there is a simple JWT/Bearer implementation needed for the REST server.
If you don't use the default authentication, which is pretty much mORMot/pascal-centric, there is some additional work to do.

I will look into adding a new authentication method via a TBinaryCookieGenerator and an Authentication: Bearer token.

Kabiri · 2025-04-05 14:16:17

It would be great to add a new authentication method.
Using IdemPChar() was suitable for uppercase and lowercase letters, but it differentiated between "." and "/".
To fix the problem, I used this code: StringReplace(Ctxt.Call^.Url,'.','/',[rfReplaceAll])
Unfortunately, I was unable to use TBinaryCookieGenerator.

flydev · 2025-04-08 08:15:34

I am a bit late, for question #1 I like to give as reference this awesome post:

refresh-tokens-what-are-they-and-when-to-use-them on auth0.com blog.

Well explained and make things crystal clear.

Also, it will be easier to find it when searching on forum

Kabiri · 2025-04-14 07:37:08

@flydev
Thanks

Kabiri · 2025-05-07 08:01:47

dear @ab
I realized that in ServiceRegister, there is a ByPassAuthentication property.
Because of that, I didn't correctly exclude the URL in OnBeforeUri. Instead, I wrote a separate service for it and excluded it during registration using ByPassAuthentication.
On the server, I added the JWT value using JwtForUnauthenticatedRequest.
I configured the authentication using AuthenticationRegister with TRestServerAuthenticationDefault (I also tested other values).
When I send a POST request to my URL, I receive the JWT token.
However, when I send this token to another URL using the Bearer token, I get the following error:

{
    "errorCode": 403,
    "errorText": "Authentication Failed: Invalid signature (0)"
}

If I stop the program, comment out the AuthenticationRegister line, and run the program again, sending the same previous token through my POST, there’s no error.
But the previously excluded URL now gives this error:

 Invalid Bearer [jwtNoToken].

While tracing, I noticed that HandleAuthentication is triggered by AuthenticationRegister, which causes the JWT authentication to not be executed.

How can I fix this issue?

flydev · 2025-05-07 08:26:04

I had this issue and I had to write my own TRestServerAuthentication* handler and overriding `SessionCreate()`, `RetrieveSession()` and `Auth()` as because HandleAuthentication is set at RestServer level, session logic is expected.

I found the thread that explain what I said, there: /forum/viewtopic.php?pid=30095#p30095

You will find a nice example (v1) from @Chris75018.

Last edited by flydev (2025-05-07 08:30:54)

flydev · 2025-05-07 09:01:07

I forgot to tell that if you want to play with it, I ported the project on mORMot v2 some months ago and I can publish it.

Kabiri · 2025-05-07 11:03:34

flydev wrote:

I forgot to tell that if you want to play with it, I ported the project on mORMot v2 some months ago and I can publish it.

Yes, I would appreciate that.

flydev · 2025-05-07 11:42:30

Kabiri wrote:

Yes, I would appreciate that.

flydev-fr/mormot-authentication-jwt

Kabiri · 2025-05-07 19:11:21

Thanks.
Let me see how I can integrate it with my own project.

mORMot Open Source

#1 2025-03-17 07:41:06

Am I using JWT correctly?

#2 2025-03-17 18:24:12

Re: Am I using JWT correctly?

#3 2025-03-17 19:09:23

Re: Am I using JWT correctly?

#4 2025-03-17 19:30:12

Re: Am I using JWT correctly?

#5 2025-04-05 14:16:17

Re: Am I using JWT correctly?

#6 2025-04-08 08:15:34

Re: Am I using JWT correctly?

#7 2025-04-14 07:37:08

Re: Am I using JWT correctly?

#8 2025-05-07 08:01:47

Re: Am I using JWT correctly?

#9 2025-05-07 08:26:04

Re: Am I using JWT correctly?

#10 2025-05-07 09:01:07

Re: Am I using JWT correctly?

#11 2025-05-07 11:03:34

Re: Am I using JWT correctly?

#12 2025-05-07 11:42:30

Re: Am I using JWT correctly?

#13 2025-05-07 19:11:21

Re: Am I using JWT correctly?

Board footer