Suggestions on creating a user authentication system.
-
I have created a simple http server that can map various urls to functions, deal with sessions and cookies, as well as read parameters located in a url.
What I hope to do now is create a login system that will be somewhat secure.
I do not know how to go on about it though. As a first test what I did was to connect to my server with a url like this:http://localhost:8080/auth?pass=somepass
I would then read the value of pass and if it was found inside a database that my server is connected to, then I would simply return a success message to the client.
I do understand from the little that I have read that I will have to change my server in order to use ssl, so the data sent between the client and it will be secure, and also that I will have to use a string encryption (possibly some external library).
If you have ever dealt with a similar situation or can provide some good advise on how should I implement my user authentication system, I'd be happy to hear.
-
Hi,
User authentication should follow either:
- Basic Auth
- Token Auth e.g. for REST end point
- Digest Auth
- OAuth version 1 or 2
Depending on what your server should serve, a two factor authentication method might also be something to study.
What framework are you using ?
-
From the aforementioned methods I believe digest authentication would be a good solution for me. In fact I started to do something similar right before I read your answer. I discovered botan that seems to be able to encrypt passwords. Unfortunately after trying to use it (by just including botan.h in a test project it threw a bunch of errors.)
If by framework you mean what I used to create the server, then nothing. Its a purely Qt server.
The idea behind this project was that I would have an app that will store some data not on the local machine but on a remote server. Offering something like cloud functionality, in order to back up or share data.
Having this in mind I created the server. It works fine until now, accepting requests and answering with the correct templates as needed. So being at this point it makes sense to add some sort of authentication or else the user data will be open to anybody.
-
Did you consider using Qt Cloud Services ? Following your description, they provide what you need
-
Yes I do know about Qt Cloud Services. A while ago i did some tests with that too, and also tried uploading my server to a MAR instance but failed during compilation.
Wouldn't I still need to develop the login system though?
They offer the space and database for me to use, but I believe it is up to me to actually implement what I want in one of the languages they support.EDIT
I did a simple test with QCryptographicHash using
QByteArray result = hash1->hash(myPass.toLatin1(), QCryptographicHash::Sha3_512);I have no idea if SHA3 is good enough to depend upon though.
My other alternative would be using bcrypt
That I do know is quite a secure algorithm.And of curse I would have to modify the server to use SSL right?
EDIT2
I did also some test with bcrypt and it seems to be working fine.Before I continue implementing this, just to be sure, what I am supposed to do is :
get the users password (through a secure connection),
read that value in my server,
hash it, and compare it with the value on my database,
and I'm done. -
It's rather: establish a secure connection to your server, that's simple: make it only accept https connection. Then you need to send the credential from your client to your server and do the checks
-
I guess you are right, establishing a secure connection is very important, but
I originally did my server only using http, following the various Qt examples. So now I found it hard to make it use https.
Qt's example on a secure connection did not help me very much because my servers architecture is a little bit different and that example is not... flexible to change I would say.
Someone here in the forums recommended this, from which I learned a great deal of things but it is using simple http, as most of the servers I have seen in Qt. -
For the connection encryption setup, see QSslSocket
-
How are you creating it ?
-
I have a 'Listener' class that is subclassing QTcpServer
class Listener : public QTcpServer { ...It is using a worker
class NewConnectionHandler : public QThread { ...In this worker class I provide a socket for the server to use in each new connection
moveToThread(this); QFile certFile(QStringLiteral("./certificate/testC.cer")); QFile keyFile(QStringLiteral("./certificate/testR.pem")); certFile.open(QIODevice::ReadOnly); keyFile.open(QIODevice::ReadOnly); QSslCertificate certificate(&certFile, QSsl::Pem); QSslKey sslKey(&keyFile, QSsl::Rsa, QSsl::Pem); certFile.close(); keyFile.close(); sslSocket.moveToThread(this); sslSocket.setLocalCertificate(certificate); sslSocket.setPrivateKey(sslKey); sslSocket.setProtocol(QSsl::TlsV1SslV3); sslSocket.startServerEncryption(); connect(&sslSocket, SIGNAL(readyRead()), SLOT(read())); connect(&sslSocket, SIGNAL(disconnected()), SLOT(disconnected())); connect(&readTimer, SIGNAL(timeout()), SLOT(readTimeout())); this->start();This is pretty much what I am trying to do. The server is highly based from the one in the link I provided, and the one from VoidRealm's youtube video.
-
On what is the first moveToThread called ?
-
I use moveToThread for the ConnectionHandler class (
class NewConnectionHandler) that takes care of creating a socket in the manner described above. I then return it to my listener class. It works for a TcpSocket, but if I try to alter it like above then it stops working. -
If you really want to use multithreading then have a look at the Threaded Fortune Server example
