TJwtMiddleware usage

Myszko_Wojciech · May 9, 2023, 10:17am

Hi,

I am creating a test application to demonstrate the authentication in the TMS XData implementation.

I have followed the examples in documentation and have the following questions:

I have implemented a "LoginService" and "ServerStats".

Login does not contain [Authorize]

I have included the required attribute in the "ServerStats" as follow:

[ServiceContract]
[Authorize]
IServerStatsService = interface(IInvokable)
['{A5D58D26-D6DE-4E00-86B9-3617BCA97794}']
function EchoString(Value: string): string;
end;

When starting my modules, I have implemented logic as follow:

...
RegisterOpenAPIService;
RegisterSwaggerUIService;

fXDataModule.SwaggerOptions.AuthMode := TSwaggerAuthMode.Jwt;
...

fXDataModule.AddMiddleware(TJwtMiddleware.Create(DEFAULT_SECRET));

I am able to execute "EchoString" even though I am not authenticated.
Having a look at the TJwtMiddleware.ProcessRequest checks for ForbidAnonymousAccess, but when I enable this, I cant even open Swagger or execute my Login.
e.g fXDataModule.AddMiddleware(TJwtMiddleware.Create(DEFAULT_SECRET,true));

Am I missing something else in the implementation?

Regards,
Jacques

AndrewSimard · May 9, 2023, 8:36pm

Should the [Authorize] attribute be just before the function declaration? It is set per-endpoint, not for the service overall, isn't it?

[Authorize] function EchoString....

Myszko_Wojciech · May 10, 2023, 6:40am

Hi Andrew,

The documentation allows for both approaches. It can be at function or class level.

  [ServiceContract]
  IMyService = interface(IInvokable)
  ['{80A69E6E-CA89-41B5-A854-DFC412503FEA}']

    function NonRestricted: string;

    [Authorize]
    function Restricted: string;
  end;

and

  [ServiceContract]
  [Authorize]
  IMyService = interface(IInvokable)
  ['{80A69E6E-CA89-41B5-A854-DFC412503FEA}']

    function Restricted: string;
    function AlsoRestricted: string;
  end;

I have however noticed the following in the documentation as well.

WARNING

Regardless if the token exists or not and the User property is set or not, the middleware will forward the processing of the request to your server. It's up to you to check if user is present in the request or not. If you want the token to prevent non-authenticated requests to be processed, set its ForbidAnonymousAccess to true.

Does this mean I should implement an additional middleware that checks for the bearer token in the header, but only if it is not my logon service? I was hoping that this logic would be handled by the
TJwtMiddleware or is this way before the attribute is validated?

Regards,

wlandgraf · May 10, 2023, 1:11pm

Aren't you receiving a "Unknown custom attribute" warning? Are you sure you added unit XData.Security.Attributes to the uses clause?

Myszko_Wojciech · May 11, 2023, 5:23pm

Hi Wagner,

I have added this and it is working now. Thanks for that. It was not complaining about an unknown attribute, that is the funny thing.

The only thing I am struggling with now is the authorization from swagger. It does not include Bearer on the auth string.

Once again, thanks for your assistance.

system · May 13, 2023, 9:11pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.