[99s-extend] cowboy client cert auth, basic auth
Loïc Hoguin
essen at ninenines.eu
Fri Jun 6 16:09:56 CEST 2014
On 06/06/2014 03:59 PM, Daniel Goertzen wrote:
> Okay, I see how I can wrap cowboy_protocol:init() to perhaps add cert
> information to env or stuff it in an ets table / gproc / process
> dictionary. Is this what you mean? I think that will work for me.
Something like that, yes. Process dictionary is probably the quick and
dirty way, env would be cleaner but take more code as you then have to
move it from env to handler opts.
> My immediate application is to provide a secure RESTful API for a
> network appliance. Think securing the Web of Things. I really do want
> to get in the client's face if they don't have the right certificate.
>
> I'm late in saying this, but thank you for making Cowboy so easy to read
> and understand.
>
> Cheers,
> Dan.
>
>
>
> On Thu, Jun 5, 2014 at 4:24 PM, Loïc Hoguin <essen at ninenines.eu
> <mailto:essen at ninenines.eu>> wrote:
>
> Misunderstood what you needed then.
>
> Note that the services that are completely blocked from anyone who
> doesn't have the right cert are virtually non-existent, it doesn't
> make sense to add a feature for it.
>
> You can do that kind of thing by having custom code creating the
> protocol process by the way. There's no need to patch Cowboy for that.
>
>
> On 06/05/2014 11:01 PM, Daniel Goertzen wrote:
>
> But then I would have to check the client cert for each and every
> request. I should have to check the cert only once at connect
> time and
> then be able to pass the result of that check in the request to each
> handler.
>
> Anyway I've gone ahead and implemented what I need in a generic
> manner
> and it seems to work well. I think it would be a useful addition to
> Cowboy. If you agree I could write some more documentation for it.
>
> https://github.com/__goertzenator/cowboy/tree/__onconnect
> <https://github.com/goertzenator/cowboy/tree/onconnect>
>
> I added a "onconnect" hook and "connection metadata" to
> cowboy_req. The
> connection metadata works like existing metadata, but is
> preserved from
> request to request on the same connection. The onconnect hook
> provides
> initial values for the connection metadata.
>
> Dan.
>
>
>
>
> On Thu, Jun 5, 2014 at 3:04 AM, Loïc Hoguin <essen at ninenines.eu
> <mailto:essen at ninenines.eu>
> <mailto:essen at ninenines.eu <mailto:essen at ninenines.eu>>> wrote:
>
> On 06/05/2014 01:44 AM, Daniel Goertzen wrote:
>
>
>
>
> On Wed, Jun 4, 2014 at 4:48 PM, Loïc Hoguin
> <essen at ninenines.eu <mailto:essen at ninenines.eu>
> <mailto:essen at ninenines.eu <mailto:essen at ninenines.eu>>
> <mailto:essen at ninenines.eu <mailto:essen at ninenines.eu>
> <mailto:essen at ninenines.eu <mailto:essen at ninenines.eu>>>> wrote:
>
> On 06/04/2014 10:08 PM, Daniel Goertzen wrote:
>
> I am having very good luck with Cowboy so far,
> but I
> have some
> questions:
>
> 1. There doesn't appear to be any way to do client
> certificate
> authorization in Cowboy, although I see there
> is an
> example for
> doing
> exactly that with Ranch. I think I could
> modify Cowboy
> to do what I
> want, but I thought I would ask if there were
> other options
> before doing
> that.
>
>
> Same as Ranch really, you just gotta take the
> socket and
> then call
> the ssl functions.
>
>
> Yes, but in cowboy there's no API to get at the socket.
>
>
> There is the undocumented function cowboy_req:get/1 which
> is meant
> for that kind of "special" use.
>
>
> --
> Loïc Hoguin
> http://ninenines.eu
>
>
>
> --
> Loïc Hoguin
> http://ninenines.eu
>
>
--
Loïc Hoguin
http://ninenines.eu
More information about the Extend
mailing list