Forum > Networking and Web Programming

THTTPRouter Documentation

(1/1)

JohnnieK:
Hi

I can't locate any documentation for THTTRouter, so I read the source. I still have a few questions so I' hoping someone can answer them for me.
Some background on what I am trying to achieve. I would like to build a rest web service and have a way to check for the bearer token in a single place, rather than in every single route. If the bearer token is not present, I want to send back a 404 and the actual code in the route routine must not be called.
From the code (in THTTPRouter.RouteRequest) it looks like BeforeRequest cannot prevent the execution of the requests. So I cannot use BeforeRequest to check if the request has a valid authentication token.
It looks like RunIntercepts can prevent the execution of the route routine, but I cannot understand how RunIntercepts work. There is an example in the examples directory, but I still don't undertand how it works. Must I register an Intercept for each route or can I register a single intercept that will check the token for all routes ?

Thanx in advance

TRon:
There is some minimal documentation on the class(es) themselves, https://www.freepascal.org/daily/packages/fcl-web/httproute/index-3.html

as small example from Marcus: https://medium.com/@marcusfernstrm/url-routes-and-parameters-in-freepascal-web-servers-d7828d15de40

PierceNg:

--- Quote from: JohnnieK on August 29, 2024, 04:43:04 pm ---It looks like RunIntercepts can prevent the execution of the route routine, but I cannot understand how RunIntercepts work. There is an example in the examples directory, but I still don't undertand how it works. Must I register an Intercept for each route or can I register a single intercept that will check the token for all routes ?

--- End quote ---

The demo has this code:


--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---procedure THTTPApplication.DoRun:<blah blah>  if Fauth<>'' then    HTTPRouter.RegisterInterceptor('auth',@DoAuthorization);<...>
And its DoAuthorization interceptor does basic authentication. Try changing that code to do your bearer authentication. Note the end of DoAuthorization, which returns response to the client without proceeding:


--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---  if not aContinue then    begin    aResponse.Code:=401;    aResponse.CodeText:='Unauthorized';    aResponse.WWWAuthenticate:='Basic Realm="This site needs a password"';    aResponse.SendContent;    end;
Here's the log from the demo when I used incorrect password:


--- Code: Text  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---2024-08-30 08:48:57.953 [etInfo] Request 14: / : 401 (0 bytes)2024-08-30 08:49:02.552 [etInfo] Invalid password provided: bongo              <== Ahem, shouldn't log the password

Thaddy:
It is OK and proper to log wrong passwords. It is not OK to log the proper password.
Although a sever should only know the hash, storing false attempts is not really wrong.

JohnnieK:
Thanx for all the replies. I now understand what I need to do.

Navigation

[0] Message Index

Go to full version