Gday,
I've finally managed to use JWT to authenticate a connection using a row (containing user/password) in my database!
I have two URIs: /<server>/data and /<server>/auth.
The data URI correctly rejects a query if I don't have a token (e.g. trying to browse the database through a browser). However, the auth URI does let me browse the database!
My web server module contains two xdata server modules: one (data) referring to an FDConnection with full database access, the other (auth) referring to an FDConnection with access only to the authentication tables.
Why does the auth connection give me visibility over the entire database? I have checked the user at the command line and that user does not give access to tables other than the authentication tables.
Thanks and regards,
Pat Heuvel
begin
result := TDBConnectionPool.Create(CPoolSize, TDBConnectionFactory.Create(
function: IDBConnection
begin
Result := TdmDazzPT.CreateAuthConnection;
end));
end;
function TwmdDazzPT.CreateServicePool: IDBConnectionPool;
begin
result := TDBConnectionPool.Create(CPoolSize, TDBConnectionFactory.Create(
function: IDBConnection
begin
Result := TdmDazzPT.CreateConnection;
end));
end;
procedure TwmdDazzPT.TwmdDazzPTDefaultHandlerAction( Sender : TObject;
Request : TWebRequest;
Response : TWebResponse;
var Handled : Boolean);
var
lAdapter : IWebBrokerAdapter;
begin
lAdapter := TWebBrokerAdapter.Create(Request, Response);
fServer.DispatchRequest(lAdapter);
end;
procedure TwmdDazzPT.WebModuleCreate(Sender: TObject);
var
lXDataServerModule : TXDataServerModule;
lXDataAuthModule : TXDataServerModule;
begin
SetupLogging;
fServer := TWebBrokerServer.Create;
// server module for the DazzPT database, including middleware
lXDataServerModule := TXDataServerModule.Create( CURLPrefix + '/data',
CreateServicePool);
lXDataServerModule.AddMiddleware(TJwtMiddleware.Create(CDazzPTJWTSecret, true));
fServer.Dispatcher.AddModule(lXDataServerModule);
// server module for user authentication.
lXDataAuthModule := TXDataServerModule.Create( CURLPrefix + '/auth',
CreateAuthServicePool);
fServer.Dispatcher.AddModule(lXDataAuthModule);
end;
result := TDBConnectionPool.Create(CPoolSize, TDBConnectionFactory.Create(
function: IDBConnection
begin
Result := TdmDazzPT.CreateAuthConnection;
end));
end;
function TwmdDazzPT.CreateServicePool: IDBConnectionPool;
begin
result := TDBConnectionPool.Create(CPoolSize, TDBConnectionFactory.Create(
function: IDBConnection
begin
Result := TdmDazzPT.CreateConnection;
end));
end;
procedure TwmdDazzPT.TwmdDazzPTDefaultHandlerAction( Sender : TObject;
Request : TWebRequest;
Response : TWebResponse;
var Handled : Boolean);
var
lAdapter : IWebBrokerAdapter;
begin
lAdapter := TWebBrokerAdapter.Create(Request, Response);
fServer.DispatchRequest(lAdapter);
end;
procedure TwmdDazzPT.WebModuleCreate(Sender: TObject);
var
lXDataServerModule : TXDataServerModule;
lXDataAuthModule : TXDataServerModule;
begin
SetupLogging;
fServer := TWebBrokerServer.Create;
// server module for the DazzPT database, including middleware
lXDataServerModule := TXDataServerModule.Create( CURLPrefix + '/data',
CreateServicePool);
lXDataServerModule.AddMiddleware(TJwtMiddleware.Create(CDazzPTJWTSecret, true));
fServer.Dispatcher.AddModule(lXDataServerModule);
// server module for user authentication.
lXDataAuthModule := TXDataServerModule.Create( CURLPrefix + '/auth',
CreateAuthServicePool);
fServer.Dispatcher.AddModule(lXDataAuthModule);
end;