I’m creating a small server which exposes a REST API using the HttpAPI stuff.
Rather than using regular login/logout authentication with sessions, I’d rather make the server completely stateless and just use a pre-shared key/secret to “authenticate” each of my REST methods.
So, similar to what happens with regular sessions where the GUID is placed in the ApiKey header of the REST calls, I want to do the same but just supply a known pre-shared value for this header and somehow check/authenticate this on the server in each function.
Basically each instance of this server will only ever be accessed by a single client so I don’t want the overhead/faff of logging in and out and dealing with sessions and expiry and so forth. The functions are all effectively stateless and don’t need any sessions.
Thanks, the second option looks cleaner but is there any documentation about how the HttpAPI authentication stuff works?
I’m currently using the TROHttpApiSimpleAuthenticationManager, can I just use this as a template for my own but change the ReadAuthenticationInfo method to check the supplied Access-Token header against a known value?
I’m trying to wrap my head around how it actually works but I don’t understand what this ReadAuthenticationInfo method is doing. It seems to just create a TROHttpApiSession object but that appears to be little more than a class that just holds a couple of values. I can’t figure out how/where the actual sessions are checked.
I’ve created a test server with a single method in a service which doesn’t require sessions. I’m using the TROHttpApiSimpleAuthentication manager.
I then try calling the method from Postman. If I put a random GUID into the Access-Token header then it works fine. If I leave it blank however, then I get a 401 response back.
The difference in the ReadAuthenticationInfo function is that the latter call creates a TROHttpApiSession with a blank token and an EmptyGUID. This is presumably what then leads to the 401 error result but I don’t know how.
If I create my own authentication manager but, in the ReadAuthenticationInfo method, I just check the token header against a known GUID, what should I then create and return in terms of the TROHttpApiSession object?
How things work in case of TROHttpApiSimpleAuthenticationManager:
You call Login method with some parameters
if login is successful, session is created and it’s guid is returned to client via Access-Token token. check TROHttpApiSimpleAuthenticationManager.WriteAuthenticationInfo
for accessing to protected service, client-side should provide Access-Token=value in http header.
server-side reads this token in TROHttpApiSimpleAuthenticationManager.ReadAuthenticationInfo and creates TROHttpApiSession.
you can override ReadAuthenticationInfo method and check your token. if it is successful, you can create TROHttpApiSession with pre-created SessionID so it will work as expected.
also I can suggest to override WriteAuthenticationInfo and return nothing for keeping security.
Copied TROHttpApiSimpleAuthenticationManager to my own class.
Changed ReadAuthenticationInfo to check the Access-Token header value against a known GUID.
If it matches then I return TROHttpApiSession.Create(‘’, EmptyGUID) otherwise I throw an exception.
I set SecurityMode to smPerMethod and have an OnCanWriteMethodSecurity handler which just sets CanWrite := False
I have a single service with a single method which just returns a test string. The service doesn’t require sessions.
This appears to work! If I call the method from Postman and supply the known GUID in the Access-Token header then it works fine. If I put anything else in this header then the ReadAuthenticationInfo throws an exception and I get a 401 back in Postman.
Is what I’m doing here “OK”?
I don’t need sessions at all really as the server is effectively stateless and will only ever be accessed by a single client. All endpoints can simply include the “pre-shared secret GUID” in the Access-Token header and I then don’t have to worry about any login/logout methods or session expiry or any such stuff.