XData JWT auth from mariadb and apache

BIZ TMS XData
1
Gday,

I've finally managed to use JWT to authenticate a connection using a row (containing user/password) in my database!

I have two URIs: /<server>/data and /<server>/auth.

The data URI correctly rejects a query if I don't have a token (e.g. trying to browse the database through a browser). However, the auth URI does let me browse the database!

My web server module contains two xdata server modules: one (data) referring to an FDConnection with full database access, the other (auth) referring to an FDConnection with access only to the authentication tables.

Why does the auth connection give me visibility over the entire database? I have checked the user at the command line and that user does not give access to tables other than the authentication tables.

Thanks and regards,
Pat Heuvel

function TwmdDazzPT.CreateAuthServicePool: IDBConnectionPool;
begin
  result := TDBConnectionPool.Create(CPoolSize, TDBConnectionFactory.Create(
                function: IDBConnection
                begin
                  Result := TdmDazzPT.CreateAuthConnection;
                end));
end;

function TwmdDazzPT.CreateServicePool: IDBConnectionPool;
begin
  result := TDBConnectionPool.Create(CPoolSize, TDBConnectionFactory.Create(
                function: IDBConnection
                begin
                  Result := TdmDazzPT.CreateConnection;
                end));
end;

procedure TwmdDazzPT.TwmdDazzPTDefaultHandlerAction( Sender      : TObject;
                                                      Request     : TWebRequest;
                                                      Response    : TWebResponse;
                                                      var Handled : Boolean);
var
  lAdapter    : IWebBrokerAdapter;
begin
  lAdapter := TWebBrokerAdapter.Create(Request, Response);
  fServer.DispatchRequest(lAdapter);
end;

procedure TwmdDazzPT.WebModuleCreate(Sender: TObject);
var
  lXDataServerModule    : TXDataServerModule;
  lXDataAuthModule      : TXDataServerModule;
begin
  SetupLogging;

  fServer := TWebBrokerServer.Create;

  // server module for the DazzPT database, including middleware
  lXDataServerModule := TXDataServerModule.Create( CURLPrefix + '/data',
                                                   CreateServicePool);
  lXDataServerModule.AddMiddleware(TJwtMiddleware.Create(CDazzPTJWTSecret, true));

  fServer.Dispatcher.AddModule(lXDataServerModule);

  // server module for user authentication.
  lXDataAuthModule := TXDataServerModule.Create(  CURLPrefix + '/auth',
                                                  CreateAuthServicePool);
  fServer.Dispatcher.AddModule(lXDataAuthModule);
end;

2

By the way, the FDConnection used for the "auth" process logs in with the userID that has limited access to the database.

3

When you say you have access to the database, I suppose you mean that you see the endpoints available? But have you tried to actually access the database through those endpoints? The request should be rejected because your database user doesn't have access to SELECT the specified tables - as you said it is.

To avoid having the endpoints published when you have more than one TXDataServer in your module, you should logically separate the modules through models:
http://www.tmssoftware.biz/business/xdata/doc/web/multiple_servers_and_models.html.

Basically, flag your services and entities that are supposed to be in your auth module using a [Model('Auth')] attribute, and when creating the XData module, specific such model:



  lXDataAuthModule := TXDataServerModule.Create(  CURLPrefix + '/auth',
     CreateAuthServicePool, TXDataAureliusModel.Get('Auth'));

This way your /auth module will only see services and entities flagged with the "Auth" model.
4
Yes, shortly after posting the above, I populated the tables and, as you say, I was not able to access the rows.
Now to find out where the Model attribute goes!
Thanks for the response!

5
Okay, so he model facility is built into Data Modeler. Got it!

Thanks again!