search

deepstreamIO / deepstream.io

deepstream.io server
https://deepstreamio.github.io
MIT License
7.14k stars 381 forks source link

deepstream@5.0.5 File Authentication #1041

Closed caracal7 closed 3 years ago

caracal7 commented 4 years ago

deepstream.io server

const fs = require('fs');
const path = require('path');
const { Deepstream } = require( '@deepstream/server' );

const DeepstreamServer = new Deepstream({
    logLevel: 'DEBUG',
    auth: [{
        type: 'file',
        options: {  
               users: __dirname +`/users.yml`,   //.  users: fs.readFileSync(__dirname +`/users.yml`, 'utf8'),
                   hash: 'md5',             
                   iterations: 1,                   
                   keyLength: 32,               
        }
    }]
});

users.yml

server:
  password: 202cb962ac59075b964b07152d234b70
  clientData:
    favorite color: blue
  serverData:
    department: admin

chris:
  password: tsA+ks76hGGSGHF8**/JHGusy78=75KQ2Mzm
  clientData:
    favorite color: blue
  serverData:
    department: admin

Node.js client

const { DeepstreamClient }  = require( '@deepstream/client' );
const client = new DeepstreamClient( 'localhost:6020' );
client.login( { username: 'server', password: '123' }, (success, clientData) => {
    console.log(success)
});

deepstream.io server console

undefined
PLUGIN_INITIALIZATION_ERROR | missing password for 0
PLUGIN_INITIALIZATION_ERROR | missing password for 1
PLUGIN_INITIALIZATION_ERROR | missing password for 2
PLUGIN_INITIALIZATION_ERROR | missing password for 3
PLUGIN_INITIALIZATION_ERROR | missing password for 4
PLUGIN_INITIALIZATION_ERROR | missing password for 5
PLUGIN_INITIALIZATION_ERROR | missing password for 6
PLUGIN_INITIALIZATION_ERROR | missing password for 7
PLUGIN_INITIALIZATION_ERROR | missing password for 8
PLUGIN_INITIALIZATION_ERROR | missing password for 9
PLUGIN_INITIALIZATION_ERROR | missing password for 10
PLUGIN_INITIALIZATION_ERROR | missing password for 11
PLUGIN_INITIALIZATION_ERROR | missing password for 12
PLUGIN_INITIALIZATION_ERROR | missing password for 13
PLUGIN_INITIALIZATION_ERROR | missing password for 14
PLUGIN_INITIALIZATION_ERROR | missing password for 15
PLUGIN_INITIALIZATION_ERROR | missing password for 16
PLUGIN_INITIALIZATION_ERROR | missing password for 17
PLUGIN_INITIALIZATION_ERROR | missing password for 18
PLUGIN_INITIALIZATION_ERROR | missing password for 19
PLUGIN_INITIALIZATION_ERROR | missing password for 20
PLUGIN_INITIALIZATION_ERROR | missing password for 21
PLUGIN_INITIALIZATION_ERROR | missing password for 22
PLUGIN_INITIALIZATION_ERROR | missing password for 23
PLUGIN_INITIALIZATION_ERROR | missing password for 24
PLUGIN_INITIALIZATION_ERROR | missing password for 25
PLUGIN_INITIALIZATION_ERROR | missing password for 26
PLUGIN_INITIALIZATION_ERROR | missing password for 27
PLUGIN_INITIALIZATION_ERROR | missing password for 28
PLUGIN_INITIALIZATION_ERROR | missing password for 29
PLUGIN_INITIALIZATION_ERROR | missing password for 30
PLUGIN_INITIALIZATION_ERROR | missing password for 31
PLUGIN_INITIALIZATION_ERROR | missing password for 32
PLUGIN_INITIALIZATION_ERROR | missing password for 33
PLUGIN_INITIALIZATION_ERROR | missing password for 34
PLUGIN_INITIALIZATION_ERROR | missing password for 35
PLUGIN_INITIALIZATION_ERROR | missing password for 36
PLUGIN_INITIALIZATION_ERROR | missing password for 37
PLUGIN_INITIALIZATION_ERROR | missing password for 38
PLUGIN_INITIALIZATION_ERROR | missing password for 39
PLUGIN_INITIALIZATION_ERROR | missing password for 40
PLUGIN_INITIALIZATION_ERROR | missing password for 41
PLUGIN_INITIALIZATION_ERROR | missing password for 42
PLUGIN_INITIALIZATION_ERROR | missing password for 43
PLUGIN_INITIALIZATION_ERROR | missing password for 44
PLUGIN_INITIALIZATION_ERROR | missing password for 45
PLUGIN_INITIALIZATION_ERROR | missing password for 46
PLUGIN_INITIALIZATION_ERROR | missing password for 47
PLUGIN_INITIALIZATION_ERROR | missing password for 48
PLUGIN_INITIALIZATION_ERROR | missing password for 49
PLUGIN_INITIALIZATION_ERROR | missing password for 50
PLUGIN_INITIALIZATION_ERROR | missing password for 51
PLUGIN_INITIALIZATION_ERROR | missing password for 52
PLUGIN_INITIALIZATION_ERROR | missing password for 53
PLUGIN_INITIALIZATION_ERROR | missing password for 54
PLUGIN_INITIALIZATION_ERROR | missing password for 55
PLUGIN_INITIALIZATION_ERROR | missing password for 56
PLUGIN_INITIALIZATION_ERROR | missing password for 57
PLUGIN_INITIALIZATION_ERROR | missing password for 58
PLUGIN_INITIALIZATION_ERROR | missing password for 59
PLUGIN_INITIALIZATION_ERROR | missing password for 60
PLUGIN_INITIALIZATION_ERROR | missing password for 61
PLUGIN_INITIALIZATION_ERROR | missing password for 62
PLUGIN_INITIALIZATION_ERROR | missing password for 63
PLUGIN_INITIALIZATION_ERROR | missing password for 64
PLUGIN_INITIALIZATION_ERROR | missing password for 65
PLUGIN_INITIALIZATION_ERROR | missing password for 66
PLUGIN_INITIALIZATION_ERROR | missing password for 67
PLUGIN_INITIALIZATION_ERROR | missing password for 68
PLUGIN_INITIALIZATION_ERROR | missing password for 69
PLUGIN_INITIALIZATION_ERROR | missing password for 70
PLUGIN_INITIALIZATION_ERROR | missing password for 71
PLUGIN_INITIALIZATION_ERROR | missing password for 72
INFO | State transition (start): CONFIG_LOADED -> LOGGER_INIT
DeepStream started...
INFO | logger ready: std out/err
INFO | server name: k5o4ia57-tnfw2dl7f000
INFO | deepstream version: 5.0.5
INFO | State transition (logger-started): LOGGER_INIT -> SERVICE_INIT
CLUSTER_JOIN | k5o4ia57-tnfw2dl7f000
CLUSTER_SIZE | The cluster size is now 1
INFO | logger ready: std out/err
INFO | monitoring ready: Noop Monitoring
INFO | subscriptions ready: Subscription Registry
INFO | storage ready: Noop Storage
INFO | cache ready: Local Cache
INFO | permission ready: none
INFO | locks ready: Distributed Lock Registry
INFO | clusterNode ready: Single Cluster Node
INFO | clusterRegistry ready: Distributed Cluster Registry
INFO | clusterStates ready: Distributed State Registry
INFO | authentication ready: File Authentication
INFO | Listening for http connections on 127.0.0.1:6020
INFO | Listening for health checks on path /health-check
INFO | httpService ready: NodeJS HTTP Service
INFO | State transition (services-started): SERVICE_INIT -> HANDLER_INIT
INFO | State transition (handlers-started): HANDLER_INIT -> PLUGIN_INIT
INFO | State transition (plugins-started): PLUGIN_INIT -> CONNECTION_ENDPOINT_INIT
INFO | connectionEndpoint ready: Binary WebSocket Connection Endpoint
INFO | connectionEndpoint ready: WS Text Protocol Connection Endpoint
INFO | connectionEndpoint ready: WS Text Connection Endpoint
INFO | connectionEndpoint ready: HTTP connection endpoint
INFO | Listening for MQTT connections on 0.0.0.0:1883
INFO | connectionEndpoint ready: MQTT Protocol Connection Endpoint
INFO | State transition (connection-endpoints-started): CONNECTION_ENDPOINT_INIT -> RUNNING
INFO | Deepstream started
INCOMING_CONNECTION | from undefined (127.0.0.1)
REQUEST | 127.0.0.1
AUTH_UNSUCCESSFUL | invalid authentication data

**Node.js client console***

false

Also no validation of parameters at all.

yasserf commented 4 years ago

You need to pass in users as JSON if using it directly I think

caracal7 commented 4 years ago 
const DeepstreamServer = new Deepstream( {
    logLevel: 'DEBUG',
    auth: [{
        type: 'file',
        options: {
            users: {
                server: {
                    password: '202cb962ac59075b964b07152d234b70',
                    clientData: {},
                    serverData: {},
                },
                chris: {
                    password: '202cb962ac59075b964b07152d234b70',
                    clientData: {},
                    serverData: {department: 'admin'},
                }
            },

                   hash: 'md5',                 
                   iterations: 1,               
                   keyLength: 32,
               reportInvalidParameters: true
        }
    }]
});

also didn't work

jaime-ez commented 3 years ago

HI, when passing config options directly to the server constructor via the node api, you should do it like this:

server.js:

const { Deepstream } = require('@deepstream/server')

const DeepstreamServer = new Deepstream({
  logLevel: 'DEBUG',
  auth: [{
    type: 'file',
    options: {
      users: './users.js',
      hash: 'md5',
      iterations: 5,
      keyLength: 32
    }
  }]
})

DeepstreamServer.start()

users.js:

const users = {
  server: {
    password: '202cb962ac59075b964b07152d234b70',
    clientData: {},
    serverData: {}
  },
  chris: {
    password: '202cb962ac59075b964b07152d234b70',
    clientData: {},
    serverData: { department: 'admin' }
  }
}
module.exports = users

I'll try to update the docs to better explain this.

please reopen if issue persists

jaime-ez commented 3 years ago

Reopening there is something else going on

jaime-ez commented 3 years ago

Ok, got it.

  1. When using the node api you should pass the users object, as @caracal7 did:
const DeepstreamServer = new Deepstream({
  logLevel: 'DEBUG',
  auth: [{
    type: 'file',
    options: {
      users: {
        server: {
          password: '202cb962ac59075b964b07152d234b70',
          clientData: {},
          serverData: {}
        },
        chris: {
          password: '202cb962ac59075b964b07152d234b70',
          clientData: {},
          serverData: { department: 'admin' }
        }
      },
      iterations: 5,
      keyLength: 32
    }
  }]
})

The problem is that when you set the hashing algorithm, you must pass the hashed password when logging in, otherwise it won't match. @caracal7 was setting the hash option to md5 but logging in with an unhashed password thus the error.

I'll update the docs.

@yasserf what do you think of allowing the path option when using the file auth in order to call it like I did on my previous comment? This would imply adding this here

    if (auth.options && auth.options.path) {
      const req = require
      auth.options.users = req(fileUtils.lookupConfRequirePath(auth.options.path))
    }
yasserf commented 3 years ago

@jaime-ez we should avoid doing any actual file loading in the server (outside of the yaml* initialiser). If the user is using deepstream via node constructor they are responsible for doing their own file loading (due to formats / locations / etc).

yasserf commented 3 years ago

Actually let's just put it in (saw your PR). The issue doesn't make that much sense to me but there is code still loading json for permissions.

Thanks!

jaime-ez commented 3 years ago

Yes I wen't for it since for permissions it is possible. I'm gonna close this for now and continue discussion on the pull request regarding the combined auth strategies