Basic authentication for website to secure site login and API access

Question

I'm looking at the security model of a website that's being developed. After researching the web i have found that there are several security models to secure websites i.e. Basic Auth, JWT ...

At the moment, SSL is not enabled as still in dev. Website has a login page and communicates via API's (including login and logout). On the login page, as a test, I have attempted to log in with false details, and then I have looked at the developer tools to identify the security mechanism and found the following screenshots. I think the site is using basic authentication, though I noted that the email / password is not encoded and is using a custom login form. Could someone confirm if it is basic authentication being utilised?

Developer Tools Images

[Request Header Image][2]

UPDATE: I discovered that once the user is authenticated by email/password, I should have posted the screenshots as this is where keys are returned. In the below screenshot a bidder token and bidder secret is sent back to client. I think these are generated through crypto on backend. So I don't think its JWT, but is this a suitable way in creating keys and not sending in header but in response body?

Network tab after user logged in

Login Form Code :

 {

        /* prepare ui */
        progress.classList.remove('hide');
        login_btn.innerText = 'Logging In';
        login_btn.setAttribute('disabled', true);

        /* make http request */
        var http = new XMLHttpRequest();
        var url = SERVER + '/api/bidder/login';
        var body = {
            email: email.value,
            password: password.value
        };

        http.open('POST', url, true);
        http.setRequestHeader('Content-type', 'application/JSON');

        http.onreadystatechange = function () { //Call a function when the state changes.
            if (http.readyState == 4 && http.status == 200) {
                var res = JSON.parse(http.responseText);

                if (res.status) {

                    localStorage.setItem("bidData", JSON.stringify(res.data));
                    window.location.href = window.location.href.replace('login.html','');

                } else {
                    Toast.show('Danger', res.message);
                }

                /* reset ui */
                progress.classList.add('hide');
                login_btn.innerText = 'Log In';
                login_btn.removeAttribute('disabled');

            }
        }
        http.send(JSON.stringify(body));

    }

By "basic authentication", do you mean this or something else? https://en.wikipedia.org/wiki/Basic_access_authentication — , May 30 '20 at 16:34
Yes I think so, I found a video that explains basic auth, so wanted to know if its been implemented the same way on the site - https://www.youtube.com/watch?v=fjkxqmRlA9E — Orange Juice Jones, May 30 '20 at 16:43
Header properties are alphabetized and there's no Authorization property on the list.. — , May 30 '20 at 20:54
If there is no Authorisation property, how does it work ? i posted the login form code as think its possible to tell from this. — Orange Juice Jones, May 30 '20 at 21:23
Well, I would assume there is no basic auth here. I guess they check the email and password on the server side and authenticate the user if they provided valid email and password..? — , May 30 '20 at 21:37
I checked the API and code checks email and password. What kind of authentication is this if not basic? - is it secure? — Orange Juice Jones, May 30 '20 at 21:48
Well, ultimately they see if the email and password match the ones stored in database (of course hashing the password with salt but I won't overly complicate this post here..). It's not secure if SSL is not used because anyone sniffing internet traffic can see the contents of request i.e. email and password. — , May 30 '20 at 21:56
I think the web server returns a token to the browser once the server finds a password/email match. I was curious to what type of authentication is being utilised, does it have a name? — Orange Juice Jones, May 30 '20 at 22:04
I see, it's using a token. Is the token structured as xxxxx.yyyyy.zzzzz (two commas separating the text)? Then it's JWT. https://jwt.io/introduction/ — , May 30 '20 at 22:08
I've added an update to the question, logged user in and captured network. Are you able to look at it pls? — Orange Juice Jones, May 31 '20 at 18:05
If it's using a decent library for generating the secret key it should be fine (still not recommended to send it over without ssl though). It's normal to send the secret key back to client in response body. As far as the security is concerned, it doesn't matter if it's sent in header or body because they are both either encrypted or not depending on the protocol. — , May 31 '20 at 19:06
So is what I explained a custom token authentication scheme?, key are created by the following line: crypto.createHash('sha1').update(uuidv4()).update(config.hidden.salt).digest('hex') — Orange Juice Jones, Jun 01 '20 at 11:16
Yeah It looks like a token authentication. Sha1 is not secure any more so at lease use sha2. — , Jun 01 '20 at 15:00
On the server it generates two keys for the user: schemaObj.bidderToken = crypto.createHash('sha1').update(uuidv4()).update(config.hidden.salt).digest('hex'); schemaObj.bidderSecret = crypto.createHash('sha256').update(uuidv4()).update(config.hidden.secret).digest('hex'); — Orange Juice Jones, Jun 01 '20 at 18:00
Then in folder conf.hidden two large strings exist. Token and secret are passed to client. If you do recognise the system deployed, could you suggest a suitable article to read so I can confirm my understanding? Also there is a folder called certificates, I think with a Private Key and a Public Certificate, not sure how this fits in. Maybe related to SSL, though not enabled yet? — Orange Juice Jones, Jun 01 '20 at 18:13
This post seems to have a good answer and a link to an article attached: https://stackoverflow.com/questions/1592534/what-is-token-based-authentication . And yeah, certificates folder should be related to SSL. — , Jun 01 '20 at 23:17

score 0 · Accepted Answer · 2020-05-30T17:14:30.200

0

When you use basic access authentication, credentials wouldn't be loaded in a request payload. They reside in an authorization header like "Authorization: Basic ~some credential here~".

So if you neither see this authorization header in your request nor a popup like below on the website, basic access authentication is not enabled.

edited May 30 '20 at 17:14

answered May 30 '20 at 15:48

There isn't a dialog box as you have shown. I have a web page with a form. BTH I have added image to question – Orange Juice Jones May 30 '20 at 16:31
Ok, if you don't see the dialog box, check your request header and see if it contains Authorization header for basic auth. If it doesn't it's not basic auth but something else being implemented. – May 30 '20 at 16:50
I cant see the Authorisation Header (not completely sure what to look for). Can you verify from the screen shot I posted ? – Orange Juice Jones May 30 '20 at 17:00
@Jet I can't see the full request header from your screenshot so I can't verify that. – May 30 '20 at 17:12

score 0 · Answer 2 · answered May 30 '20 at 16:57

Spring security is the most basic authentication in the Spring project If you want to enable Spring security, the first thing you must add is the spring security library to your project. After adding it, you create a class to configure Spring security.

A function in the class config for Spring security.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors()
                .and()
            .csrf()
                .disable()
            .exceptionHandling()
                .authenticationEntryPoint(unauthorizedHandler)
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()
                .antMatchers("/",
                    "/api/statistical/**",
                    "/static/**",
                    "/webjars/**",
                    "/img/**",
                    "/css/**",
                    "/js/**",
                    "/api/diary/**")
                    .permitAll()
                .antMatchers("/api/auth/**")
                    .permitAll()
                .antMatchers("/api/user/checkUsernameAvailability", "/api/user/checkEmailAvailability")
                    .permitAll()
                .antMatchers(HttpMethod.GET, "/api/users/**") //, "/api/polls/**"
                    .permitAll()
                .anyRequest()
                    .authenticated();

Basic authentication for website to secure site login and API access

2 Answers2