http ajax request authentication

[maku]

HI,

I would like to use calibre server ajax functionality.

For authentication purposes: Can anybody of you give me a hint how to do this with javascript (I want to develop a calibre mobile app based on phonegap).

How do I send the correct authentication information to the server?

TIA

Martin

[kovidgoyal]

The server supports http digest authentication. Ajax based authentication is insecure without https and you cant use https on a private server (the certificate wont validate).

[maku]

Quote:

Originally Posted by kovidgoyal

The server supports http digest authentication. Ajax based authentication is insecure without https and you cant use https on a private server (the certificate wont validate).

Thanks for answering:
would it be possible to provide a dedicated login call which returns a token (or maybe it is enought to get the session cookie)- where username and password are sent encrypted ?

TIA
Martin

[kovidgoyal]

Implementing such a thing securely is not a job lightly undertaken. It isn't one that I have the time for, but patches are welcome.

In any case, what's preventing you from using digest auth for your ajax calls? That's what the current calibre content server frontend does.

[maku]

I tried to pass username and password to jquery's ajax function -> which works successfully.
It seems that query handles the autentication process behind the seems....
But I'm not really sure if this approach is secure...

Do you think it is a reasonable way to provide username/passwort on every jquery ajax call?

[kovidgoyal]

You should need to do anything, the browser will automatically provide suername password when using ajax once the user has entered it for the initial page load.

[maku]

Unfortunately under Android (with Phonegap/cordova) it seems not possible to pass the username/password combination to the server via jquery's ajax call - get "Unauthorized" error...

[kovidgoyal]

You dont pass the username/password via ajax. What you do is direct the browser to the server home page. The browser will then ask the user for the username/password. Once the user provides it, the browser automatically uses it for future ajax calls to the same domain.

[maku]

Quote:

Originally Posted by kovidgoyal

You dont pass the username/password via ajax. What you do is direct the browser to the server home page. The browser will then ask the user for the username/password. Once the user provides it, the browser automatically uses it for future ajax calls to the same domain.

Yes, but this is not the use case I want to achieve.

I want a mobile cross plattform calibre client written with cordova/phonegap. This means that the app is delivered as native app. Under the hood it works like a local web app -> html / js / css etc. is therefore within the native mobile app. This app should communicate with calibre server (only via ajax calls to get data from the server) And thats the problem...
When I try it e.g. with google chrome and certain development flags (--disable-web-security -–allow-file-access-from-files) auth. works fine... (jquery ajax call handles apparently the authentification procedure) -> but with the android app it doesn't work...

[kovidgoyal]

Then you're out of luck. I for one have have no interest in that use case. If you want to write a html/js interface to calibre, write one as part of the content server, there's absolutely no need to have it delivered as a "native" app.

[plugin_dev]

jQuery absolutely can perform HTTP basic authentication, for AJAX calls. See here for a demonstration:

https://www.mobileread.com/forums/sho...d.php?t=207644

[chaley]

FWIW: calibre companion is a native android app and it uses digest authentication and ajax. All we needed to do was set up the correct security environment in the http connection.

Code:

		// Set up authentication. Try digest before basic
		List<String> authpref = new ArrayList<String>();
		authpref.add(AuthPolicy.DIGEST);
		authpref.add(AuthPolicy.BASIC);
		httpClient.getParams().setParameter(AuthPNames.TARGET_AUTH_PREF, authpref);

Of course, if you do not have access to the underlying http connection then this scheme will not work.