Suggestions on creating a user authentication system.

SGaist · wrote on 17 Mar 2015, 12:32

Hi,

User authentication should follow either:

Basic Auth
Token Auth e.g. for REST end point
Digest Auth
OAuth version 1 or 2

Depending on what your server should serve, a two factor authentication method might also be something to study.

What framework are you using ?

ealione · wrote on 17 Mar 2015, 13:06

From the aforementioned methods I believe digest authentication would be a good solution for me. In fact I started to do something similar right before I read your answer. I discovered botan that seems to be able to encrypt passwords. Unfortunately after trying to use it (by just including botan.h in a test project it threw a bunch of errors.)

If by framework you mean what I used to create the server, then nothing. Its a purely Qt server.

The idea behind this project was that I would have an app that will store some data not on the local machine but on a remote server. Offering something like cloud functionality, in order to back up or share data.

Having this in mind I created the server. It works fine until now, accepting requests and answering with the correct templates as needed. So being at this point it makes sense to add some sort of authentication or else the user data will be open to anybody.

SGaist · wrote on 17 Mar 2015, 22:43

Did you consider using Qt Cloud Services ? Following your description, they provide what you need

ealione · wrote on 18 Mar 2015, 07:38

Yes I do know about Qt Cloud Services. A while ago i did some tests with that too, and also tried uploading my server to a MAR instance but failed during compilation.

Wouldn't I still need to develop the login system though?
They offer the space and database for me to use, but I believe it is up to me to actually implement what I want in one of the languages they support.

EDIT

I did a simple test with QCryptographicHash using

QByteArray result = hash1->hash(myPass.toLatin1(), QCryptographicHash::Sha3_512);

I have no idea if SHA3 is good enough to depend upon though.

My other alternative would be using bcrypt
That I do know is quite a secure algorithm.

And of curse I would have to modify the server to use SSL right?

EDIT2
I did also some test with bcrypt and it seems to be working fine.

Before I continue implementing this, just to be sure, what I am supposed to do is :
get the users password (through a secure connection),
read that value in my server,
hash it, and compare it with the value on my database,
and I'm done.

SGaist · wrote on 31 Mar 2015, 22:48

It's rather: establish a secure connection to your server, that's simple: make it only accept https connection. Then you need to send the credential from your client to your server and do the checks

ealione · wrote on 1 Apr 2015, 06:50

I guess you are right, establishing a secure connection is very important, but
I originally did my server only using http, following the various Qt examples. So now I found it hard to make it use https.
Qt's example on a secure connection did not help me very much because my servers architecture is a little bit different and that example is not... flexible to change I would say.
Someone here in the forums recommended this, from which I learned a great deal of things but it is using simple http, as most of the servers I have seen in Qt.

SGaist · wrote on 1 Apr 2015, 23:01

For the connection encryption setup, see QSslSocket

ealione · wrote on 2 Apr 2015, 06:41

I tried making my server use QSslSocket (I created some self signed keys) but when trying to connect to it I get

QIODevice::read: device not open

So now I am in the process of trying to find what is happening.

SGaist · wrote on 2 Apr 2015, 23:36

How are you creating it ?

ealione · 4 Mar 2015, 06:58

I have a 'Listener' class that is subclassing QTcpServer

class Listener : public QTcpServer {
...

It is using a worker

class NewConnectionHandler : public QThread {
...

In this worker class I provide a socket for the server to use in each new connection

moveToThread(this);

QFile certFile(QStringLiteral("./certificate/testC.cer"));
QFile keyFile(QStringLiteral("./certificate/testR.pem"));
certFile.open(QIODevice::ReadOnly);
keyFile.open(QIODevice::ReadOnly);
QSslCertificate certificate(&certFile, QSsl::Pem);
QSslKey sslKey(&keyFile, QSsl::Rsa, QSsl::Pem);
certFile.close();
keyFile.close();

sslSocket.moveToThread(this);
sslSocket.setLocalCertificate(certificate);
sslSocket.setPrivateKey(sslKey);
sslSocket.setProtocol(QSsl::TlsV1SslV3);
sslSocket.startServerEncryption();

connect(&sslSocket, SIGNAL(readyRead()), SLOT(read()));
connect(&sslSocket, SIGNAL(disconnected()), SLOT(disconnected()));
connect(&readTimer, SIGNAL(timeout()), SLOT(readTimeout()));

this->start();

This is pretty much what I am trying to do. The server is highly based from the one in the link I provided, and the one from VoidRealm's youtube video.

SGaist · wrote on 3 Apr 2015, 22:42

On what is the first moveToThread called ?

ealione · wrote on 7 Apr 2015, 06:43

I use moveToThread for the ConnectionHandler class (class NewConnectionHandler) that takes care of creating a socket in the manner described above. I then return it to my listener class. It works for a TcpSocket, but if I try to alter it like above then it stops working.

SGaist · wrote on 7 Apr 2015, 23:18

If you really want to use multithreading then have a look at the Threaded Fortune Server example

ealione · wrote on 8 Apr 2015, 07:02

I have. Usually all my projects get inspired by either the examples or some other project that someone has put on the web. Its just that sometimes I have trouble moving them to the next level, just like with this one.