Forum > Networking and Web Programming
THTTPRouter Documentation
(1/1)
JohnnieK:
Hi
I can't locate any documentation for THTTRouter, so I read the source. I still have a few questions so I' hoping someone can answer them for me.
Some background on what I am trying to achieve. I would like to build a rest web service and have a way to check for the bearer token in a single place, rather than in every single route. If the bearer token is not present, I want to send back a 404 and the actual code in the route routine must not be called.
From the code (in THTTPRouter.RouteRequest) it looks like BeforeRequest cannot prevent the execution of the requests. So I cannot use BeforeRequest to check if the request has a valid authentication token.
It looks like RunIntercepts can prevent the execution of the route routine, but I cannot understand how RunIntercepts work. There is an example in the examples directory, but I still don't undertand how it works. Must I register an Intercept for each route or can I register a single intercept that will check the token for all routes ?
Thanx in advance
TRon:
There is some minimal documentation on the class(es) themselves, https://www.freepascal.org/daily/packages/fcl-web/httproute/index-3.html
as small example from Marcus: https://medium.com/@marcusfernstrm/url-routes-and-parameters-in-freepascal-web-servers-d7828d15de40
PierceNg:
--- Quote from: JohnnieK on August 29, 2024, 04:43:04 pm ---It looks like RunIntercepts can prevent the execution of the route routine, but I cannot understand how RunIntercepts work. There is an example in the examples directory, but I still don't undertand how it works. Must I register an Intercept for each route or can I register a single intercept that will check the token for all routes ?
--- End quote ---
The demo has this code:
--- Code: Pascal [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---procedure THTTPApplication.DoRun:<blah blah> if Fauth<>'' then HTTPRouter.RegisterInterceptor('auth',@DoAuthorization);<...>
And its DoAuthorization interceptor does basic authentication. Try changing that code to do your bearer authentication. Note the end of DoAuthorization, which returns response to the client without proceeding:
--- Code: Pascal [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} --- if not aContinue then begin aResponse.Code:=401; aResponse.CodeText:='Unauthorized'; aResponse.WWWAuthenticate:='Basic Realm="This site needs a password"'; aResponse.SendContent; end;
Here's the log from the demo when I used incorrect password:
--- Code: Text [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---2024-08-30 08:48:57.953 [etInfo] Request 14: / : 401 (0 bytes)2024-08-30 08:49:02.552 [etInfo] Invalid password provided: bongo <== Ahem, shouldn't log the password
Thaddy:
It is OK and proper to log wrong passwords. It is not OK to log the proper password.
Although a sever should only know the hash, storing false attempts is not really wrong.
JohnnieK:
Thanx for all the replies. I now understand what I need to do.
Navigation
[0] Message Index