[99s-extend] cowboy client cert auth, basic auth

[Daniel Goertzen]

Okay, I see how I can wrap cowboy_protocol:init() to perhaps add cert
information to env or stuff it in an ets table / gproc / process
dictionary.  Is this what you mean?  I think that will work for me.

My immediate application is to provide a secure RESTful API for a network
appliance.  Think securing the Web of Things.  I really do want to get in
the client's face if they don't have the right certificate.

I'm late in saying this, but thank you for making Cowboy so easy to read
and understand.

Cheers,
Dan.



On Thu, Jun 5, 2014 at 4:24 PM, Loïc Hoguin <essen at ninenines.eu> wrote:

> Misunderstood what you needed then.
>
> Note that the services that are completely blocked from anyone who doesn't
> have the right cert are virtually non-existent, it doesn't make sense to
> add a feature for it.
>
> You can do that kind of thing by having custom code creating the protocol
> process by the way. There's no need to patch Cowboy for that.
>
>
> On 06/05/2014 11:01 PM, Daniel Goertzen wrote:
>
>> But then I would have to check the client cert for each and every
>> request.  I should have to check the cert only once at connect time and
>> then be able to pass the result of that check in the request to each
>> handler.
>>
>> Anyway I've gone ahead and implemented what I need in a generic manner
>> and it seems to work well.  I think it would be a useful addition to
>> Cowboy.  If you agree I could write some more documentation for it.
>>
>> https://github.com/goertzenator/cowboy/tree/onconnect
>>
>> I added a "onconnect" hook and "connection metadata" to cowboy_req.  The
>> connection metadata works like existing metadata, but is preserved from
>> request to request on the same connection.  The onconnect hook provides
>> initial values for the connection metadata.
>>
>> Dan.
>>
>>
>>
>>
>> On Thu, Jun 5, 2014 at 3:04 AM, Loïc Hoguin <essen at ninenines.eu
>> <mailto:essen at ninenines.eu>> wrote:
>>
>>     On 06/05/2014 01:44 AM, Daniel Goertzen wrote:
>>
>>
>>
>>
>>         On Wed, Jun 4, 2014 at 4:48 PM, Loïc Hoguin <essen at ninenines.eu
>>         <mailto:essen at ninenines.eu>
>>         <mailto:essen at ninenines.eu <mailto:essen at ninenines.eu>>> wrote:
>>
>>              On 06/04/2014 10:08 PM, Daniel Goertzen wrote:
>>
>>                  I am having very good luck with Cowboy so far, but I
>>         have some
>>                  questions:
>>
>>                  1. There doesn't appear to be any way to do client
>>         certificate
>>                  authorization in Cowboy, although I see there is an
>>         example for
>>                  doing
>>                  exactly that with Ranch.  I think I could modify Cowboy
>>         to do what I
>>                  want, but I thought I would ask if there were other
>> options
>>                  before doing
>>                  that.
>>
>>
>>              Same as Ranch really, you just gotta take the socket and
>>         then call
>>              the ssl functions.
>>
>>
>>         Yes, but in cowboy there's no API to get at the socket.
>>
>>
>>     There is the undocumented function cowboy_req:get/1 which is meant
>>     for that kind of "special" use.
>>
>>
>>     --
>>     Loïc Hoguin
>>     http://ninenines.eu
>>
>>
>>
> --
> Loïc Hoguin
> http://ninenines.eu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ninenines.eu/archives/extend/attachments/20140606/b992565e/attachment.html>