JWT InsufficientPermissions error

GOMEZEL_DINO · April 23, 2024, 9:47am

Hello!

I have a problem using the JWT authorization and CRUD endpoints and I would need some help. I've set up an XData server with a service operation (simplified):

function TMyService.Login(const UserName, Password: string): string;
var
  JWT: TJWT;
  Scopes: string;
begin
  if (UserName <> 'test') or (Password <> 'testpass') then
    raise EXDataHttpUnauthorized.Create('Invalid password');
  JWT := TJWT.Create;
  try
    JWT.Claims.SetClaimOfType<string>('user', UserName);
    Scopes := 'terminal';
    JWT.Claims.SetClaimOfType<string>('scope', Scopes);
    JWT.Claims.Issuer := 'My REST server';
    Result := TJOSE.SHA256CompactToken('secretthatonlyikowandwillneverbeknowntoothers', JWT);
  finally
    JWT.Free;
  end;
end;

Note: The CompactToken uses the same secret as declared in TSparkleJwtMiddleware.Secret.

Aurelius entity sample

uses
  SysUtils,
  Generics.Collections,
  Aurelius.Mapping.Attributes,
  XData.Security.Attributes,
  Aurelius.Types.Blob,
  Aurelius.Types.DynamicProperties,
  Aurelius.Types.Nullable,
  Aurelius.Types.Proxy,
  Aurelius.Dictionary.Classes,
  Aurelius.Linq;

  ...

  [Entity]
  [Table('Dasy')]
  [Id('FId', TIdGenerator.None)]
  [EntityAuthorize(EntitySetPermissionsAll)]
  TDay = class
  private
    [Column('Id', [TColumnProp.Required])]
    FId: Integer;

    [Column('Name', [TColumnProp.Required], 20)]
    FIme: string;
  public
    property Id: Integer read FId write FId;
    property Name: string read FNamewrite FName;
  end;

I try to access the entity with PostMan, I call the Login service operation and get the JWT token:

{
    "value": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoia2FtaWpvbmNpbiIsInNjb3BlIjoidGVybWluYWwiLCJpc3MiOiJLYW1pb25jaW4gUkVTVCBzZXJ2ZXIifQ.wag2XpBYpfjyJGQKNVJNDBcnxP-R_dTF5Iq3-g6jbLw"
}

but when I try to get the entitiy TDay get the error:

{
    "error": {
        "code": "InsufficientPermissions",
        "message": "You do not have enough permissions to perform this action"
    }
}

Here's the code on the client side, used to get the token - I get the same error as in Postman.:

procedure TmodMain.connServerRequest(Args: TXDataWebConnectionRequest);
begin
  if self.AuthToken<>'' then
    Args.Request.Headers.SetValue('Authorization','Bearer ' + AuthToken);
end;

I checked the XData JWT demo and I think I've done the same in my app, I also checked the forum, but I just can't find whatI'm doing wrong.

wlandgraf · April 23, 2024, 10:47am

Have you properly set the EntitySetPermissions (or DefaultEntitySetPermissions property in TXDataServer component? It's yet another layer that needs to be enabled for the entity endpoints to work.

GOMEZEL_DINO · April 23, 2024, 12:07pm

Yes, if I turn off the authorization, I can see all the classes.

The problem is just when I turnon authorization.

wlandgraf · April 23, 2024, 2:10pm

I don't have other ideas right now. Maybe I'm also overlooking something.
Is it possible to send a small project reproducing the issue?