You might not be able to avoid them e g integration with a t kotlinlang #ktor

You might not be able to avoid them (e.g. integrat...

11/27/2018, 4:54 PM

You might not be able to avoid them (e.g. integration with a third party product that requires them) but keep in mind that JWT & friends have an unreasonably high risk of shooting yourself in the foot

Saša Šijak

11/27/2018, 8:23 PM

how many projects can you name that actually had security problems because of jwt

dave08

11/27/2018, 9:10 PM

So what's better than jwt (without the added complexity of oauth)?

11/27/2018, 11:07 PM

Just use sessions? Or https://paragonie.com/blog/2018/03/paseto-platform-agnostic-security-tokens-is-secure-alternative-jose-standards-jwt-etc — that guy generally has his head on straight.

11/27/2018, 11:08 PM

@Saša Šijak Any project using any of the various JWT libraries that have had serious vulnerabilities (arguably because the spec is needlessly complex and difficult to implement correctly)

11/27/2018, 11:08 PM

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

dave08

11/28/2018, 3:16 AM

Interesting. What do you do to authenticate in an api? It would be nice if Ktor would provide some more battle tested types of authentication...

11/28/2018, 1:35 PM

I’d just use sessions. Put your session storage in Redis and that’ll serve you well for quite a while.

dave08

11/28/2018, 1:36 PM

With an existing Ktor Feature? Or some specific lib that needs to be adapted?

11/28/2018, 1:36 PM

Ktor’s session support has been working just fine for me. I wrote a trivial redis adapter using lettuce based on the session storage docs. LMK if you want that code

11/28/2018, 1:36 PM

Just the regular feature.

dave08

11/28/2018, 1:37 PM

The session support handles authentication?

dave08

11/28/2018, 1:40 PM

Or you use basic authentication and then save a session for next requests? But then, you need extra logic for expiring those sessions... and if, say it's an Android device, then it would need logic to save that session, and get a new one. Alot of REST APIs are stateless nowadays...

11/28/2018, 1:40 PM

It’s part of it. Say you take a username and password on your site. Have an endpoint that receives u&p which validated the pair using normal password best practices. If it all checks out, use a basic data class that stores something like the user id etc, and write that instance into the session. Then, use the authentication feature to check the session and provide a principal.

11/28/2018, 1:41 PM

Redis TTL will handle expiration nicely.

dave08

11/28/2018, 1:41 PM

True

11/28/2018, 1:41 PM

How you communicate the session is up to you. Could use cookies or headers or whatever

11/28/2018, 1:42 PM

I use cookies on my service because the client is a web UI and cookies are the most secure option for that.

dave08

11/28/2018, 1:42 PM

+ basic authentication?

dave08

11/28/2018, 1:43 PM

I guess with ssl it's more secure than JWT according to that article 🙂

11/28/2018, 1:43 PM

No, http basic would throw up the ugly browser username and password dialog. There’s a page with a html form that posts JSON which an endpoint handles

11/28/2018, 1:44 PM

And yes all is TLS always

dave08

11/28/2018, 1:46 PM

I guess for an API, it would be more appropriate... I'm not working with browsers too much... thanks for the links and all!

11/28/2018, 1:47 PM

Sure. 1 min and I’ll paste some snippets that hopefully will make it more clear

dave08

11/28/2018, 1:48 PM

If you could pass me that adapter, it would be great! Any reason you're using lettuce and not jedis? Isn't it a bit overkill?

11/28/2018, 1:51 PM

I don't recall exactly why I chose lettuce

dave08

11/28/2018, 1:52 PM

It has tons of features and an async api, but for such a small need, might not be worth the overhead...

11/28/2018, 1:52 PM

better async api? better maintenance schedule? who knows

11/28/2018, 1:52 PM

Copy code

class RedisSessionStorage(private val redis: RedisAsyncCommands<String, ByteArray>,
                          ttl: Duration,
                          private val keyPrefix: String = "session_") : SimplifiedSessionStorage() {

    private val ttlMillis = ttl.toMillis()

    override suspend fun read(id: String): ByteArray? {
        return redis.get(effectiveId(id))
                .asDeferred()
                .await()?.also {
                    redis.pexpire(effectiveId(id), ttlMillis)
                            .asDeferred()
                            .await()
                }
    }

    override suspend fun write(id: String, data: ByteArray?) {
        if (data == null) {
            redis.del(effectiveId(id))
        } else {
            redis.set(effectiveId(id), data, SetArgs().px(ttlMillis))
        }.asDeferred()
                .await()
    }

    private fun effectiveId(id: String): String = keyPrefix + id

}

class StringByteCodec : RedisCodec<String, ByteArray> {
    private val keyCodec = StringCodec()
    private val valCodec = ByteArrayCodec()

    override fun decodeKey(bytes: ByteBuffer?): String = keyCodec.decodeKey(bytes)

    override fun encodeValue(value: ByteArray?): ByteBuffer = valCodec.encodeValue(value)

    override fun encodeKey(key: String?): ByteBuffer = keyCodec.encodeKey(key)

    override fun decodeValue(bytes: ByteBuffer?): ByteArray = valCodec.decodeValue(bytes)
}

/**
 * Since we don't have an obvious place to hang on to re-usable buffers, use this helper from
 * <https://ktor.io/features/sessions.html>. It does allocate, but oh well...
 */
abstract class SimplifiedSessionStorage : SessionStorage {
    abstract suspend fun read(id: String): ByteArray?
    abstract suspend fun write(id: String, data: ByteArray?)

    override suspend fun invalidate(id: String) {
        write(id, null)
    }

    override suspend fun <R> read(id: String, consumer: suspend (ByteReadChannel) -> R): R {
        val data = read(id) ?: throw NoSuchElementException("Session $id not found")
        return consumer(ByteReadChannel(data))
    }

    override suspend fun write(id: String, provider: suspend (ByteWriteChannel) -> Unit) {
        return provider(CoroutineScope(<http://Dispatchers.IO|Dispatchers.IO>).reader(coroutineContext, autoFlush = true) {
            val data = ByteArrayOutputStream()
            val temp = ByteArray(1024)
            while (!channel.isClosedForRead) {
                val read = channel.readAvailable(temp)
                if (read <= 0) break
                data.write(temp, 0, read)
            }
            write(id, data.toByteArray())
        }.channel)
    }
}

11/28/2018, 1:52 PM

Plug that in as your session storage and you're done.

👍🏼 1

11/28/2018, 1:53 PM

something like

data class SessionData(val userId: UUID)

would be suitable for what you store in the session.

11/28/2018, 1:54 PM

In your log in endpoint, once you've done whatever validation you want to do on username/password,

call.sessions.set(SessionData(theUserId))

11/28/2018, 1:56 PM

Then, in your

install(Authentication)

block, you'd do

session<SessionData>("USER_AUTH")  { lookUpUserFromSession(it)?.let { user -> SomeUserPrincipalClass(user.foo, user.bar, user.baz) }

11/28/2018, 1:57 PM

whatever principal type you wish to use is what you'll get back out of

call.authentication.principal<SomeUserPrincipalClass>()

. If you have roles or something like that associated with users, that type would be a good place to hold them since you will have just loaded your user record.

dave08

11/28/2018, 1:59 PM

Nice 😉

23 Views

Open in Slack

Previous Next