Enabling Security of Access to Your Server - marcos8154/SocketAppServer GitHub Wiki

As of version 1.4.3, the framework now has an authentication mechanism, very similar to JWT, of the HTTP APIs.

Before you deploy, make sure you have the "AuthorizationController.xml" file in your project's Mappings folder. If it does not exist, it is a sign that you must upgrade your framework, and you can do so through Nuget.

The Beginning of Everything: The User Repository

You must provide a class that implements the "IServerUserRepository" interface, located in the "MobileAppServer.Security" namespace. This interface contains the Authenticate method, which takes 2 parameters and must return a ServerUser object.

    public class UserRepository : IServerUserRepository
    {
        public ServerUser Authenticate(string userNameOrEmail, string password)
        {
            var myUser = MySystemDbUsers.FirstOrDefault(u => u.Email.Equals(userNameOrEmail) &&
            u.Password.Equals(password));

            if (myUser == null)
                return null;

            return new ServerUser(myUser.Id, myUser.Name, myUser.Email, "Default Organization");
        }

.......

Enabling Server Authentication

After deploying your user repository, you must register your instance to the server as follows:

   server.EnableSecurity(new UserRepository());

Also, there are some interesting parameters that you can pass at this time:

 public void EnableSecurity(IServerUserRepository repository, int tokenLifetime = 3, string tokenCryptPassword = "");

IServerUserRepository repository: Instance of your user repository
int tokenLifetime: Tokens released by server lifetime (in minutes)
string tokenCryptPassword: Encryption key to compose Tokens. You can enter a key of your choice, or leave the string empty. If the string is empty, the framework will take care of generating the cryptographic keys for you. The framework will dynamically compose the key per request, using hardware data, authenticated user data, and unique request identifier data.

Testing Authentication

Let's use in this example the AppServer Test Client, the MobileAppServer Test

When attempting to make a request to our ExampleController / HelloAction, we will receive an error saying that we are not allowed to access the resource:

Now, whenever we want to access the server, we need to enter the "authorization" parameter in the request. This parameter should contain the access token that was released by the server. And to get this token, we first need to request it through the AuthorizationController, informing as the user and password. With this, the framework will request authentication for our user repository class, which will return the authenticated user (or not).

If authentication succeeds, we will receive the access token in the response. And that's what we should use to authenticate on the server:

The token will look like this:

yqtcgGI7ujl70l8w5UKwiBzM3FGxEfSJJYzQD3JFyD6PfTWuVLUtwiypUB5DfFr0DIThSzyP7xEGrStafXu6yrAGWt8pIvQIzuQAW5BFnXQEhHqUX2riMqocxdGDn+rjWKuJhEDv0XkER5fD+RqQv06v4EE9Ah0Lu0vzAvGyUCtgrD1pAFL7tyYprnW5BKpUYjOI+zUAWRVOIxud5H9Rrg9SXw7g1BDIQNuIXq4OwdBvnpj2SPV5uCTrkvkynHnMSwwLR+K/ga2wcFq3Cn9JEE1YvvR1R5JICNLfUO+sHoNAas8entec9vFkfv2Iap2iCr3TS/U/Mja5lY1iNdsHd82kISFFqYRwzMj7VOvi/QpNOBwqyMfhj/0HyEsGPWtoA26n46zOqXtnrkUt6iApwX4A7+jh1Fc5qcqeSSkheth1z188C4Zy7QNup+Oszql7Z65FLeogKcF+AO/o4dRXOVaPG3EIzF0Rp/8ATVEk/U2AYnKYlfCBkoRGTYVvBOh4ryOsqMIzkjqejugAgGyrwyp0XajB1TNq

Now we can make the request for our SampleController / HelloAction again, informing the parameter "authorization" with the value of the Token we were granted:

And then we were allowed to access the feature on the server:

Restricting user access to certain actions

In your user repository, after instantiating the ServerUser object, you can add Roles that determine if the user can pass certain server actions.

    var serverUser = new ServerUser(myUser.Id, myUser.Name, myUser.Email, "Default Organization");
    serverUser.AddRole("ExampleController", "HelloAction", false);
    return serverUser;

The parameters are:

public void AddRole(string controller, string action, bool enableAccess);

By doing so, the framework will automatically provision each user's access based on the parameters entered in the AddRole() method, of ServerUser class.