Added authentication to TMongoWire

[smokingdev]

Hi,

First of all thank you for your work on this library. I needed authentication for my application so I decided to implement it.

I added an Authenticate method to TMongoWire class which requires the user to provide the database to authenticate for, an username and a password.

Because authentication needs MD5 I added an MD5 library by mfichtner@fichtner-meyer.com to the repository. I altered to library so it doesn't cause any collision for users already using the library. It only exports one method MongoMD5Hex which returns an hexadecimal string representation of the hash.

Kind Regards,

Fred Oranje

[stijnsanders]

Could you please change: mongoWire.pas: TMongoWire.Authenticate:

• don't use a local Query object, just call Get( with BSON() in the parameter list
• VarToStr isn't really needed in 'nonce',VarToStr(Nonce['nonce']), (I think)
• please use VarToAnsiStr in the next line (optionally use AnsiType for Authenticate's parameters)
• I would even write Result:=Get(...,BSON(...),nil)['ok']=1; but that's me all for brevity and things mongoMD5.pas:
• change all string to AnsiString and PChar to PAnsiChar: this would cause trouble in newer Delphi versions Thank you (if you want me to, just say so)

[stijnsanders]

That's odd, this md5.pas you've used. It is open source? It looks like the original writer is off the net, but it looks like there's a hard copyright on the thing as in incompatible with the MIT licence?

[smokingdev]

Hi,

I will update the code based on your suggestions tomorrow, thanks!

You're right about the MD5 library, I'm sorry, I'm quite new to the open source world so I didn't even think about licensing issues. Did some research, there aren't a lot MD5 libraries out there for Delphi and none of them are MIT licensed.

Windows provides a set of functions to generate MD5 hashes: http://msdn.microsoft.com/en-us/library/gg547650(v=vs.85).aspx . Would it be an option to use those? Judging by your use of TTcpClient your focusing on Delphi alone (not FreePascal compatibility), but please correct me if I'm wrong. Otherwise I would have to write a MD5 hash unit myself.

Kind regards,

Fred

[stijnsanders]

The MD5-RFC had a reference implementation, and I did SHA256 before, so I'm working on an MD5.pas myself also. (doesn't FPC have TTCPClient? I should check it out, I haven't done mush FPC but should, though...) Another thing that got me worried: by intruducing mongoMD5.pas (or any other unit for that matter) would introduce an extra dependency, either a requirement to include a unit-search-dir so mongoWire.pas is able to find it's extra used units by itself, or by adding the extra unit's to the project's dpr. That's why I thought of perhaps having a separate unit mongoAuth.pas with a single procedure MongoAuthenticate(Wire:TMongoWire) to call on the object right after connect. It's just an idea though...

[stijnsanders]

Have a look at this. https://github.com/stijnsanders/TMongoWire/blob/master/mongoAuth.pas The reference example MD5's return the expected values, but I guess a little extra testing wouldn't hurt, and off-cource, could you test the MongoWireAuth procedure? I'd like to hear if you would really like it to 'house' as a method in an object, then we could create an inheriting class from TMongoWire (or something)

[stijnsanders]

more about this MD5 issue: yoy.be/md5 is it OK if I close this issue (and don't merge your code? sorry!)

[smokingdev]

My apologies for the late response.

I just tested your new code and it works great! I can authenticate as a normal user on a collection and also as an administrator. Thanks!

Your current solution to put the Authenticate method in a separate unit works for me. I original motives for putting the method inside the TMongoWire class was simply that it made sense. I understand your motives regarding an extra unit dependency. I didn't run in to that problem because I have the TMongoWire library directory inside my unit search path.

As for housing the method inside an object? Your thinking about an TMongoAuthenticatedWire object which inherits from the regular TMongoWire just providing the Authenticate and Logout methods? That also is an elegant solution.

And of course it is OK to close this issue. Thank you for your help and assistance in this matter.

Kind regards,

Fred Oranje

[stijnsanders]

Thank you for your input!