Custom User Authentication

[Rpgdudester]

Good evening,

I was wondering if you had an example of how you set up custom user authentication with GenHTTP.

So far I love how easily everything works. I'm able to get my users (username/ encrypted password) added into the basic authentication, but my issue is that I can't figure out how to check the incoming request from the website so i can verify the password with Bcrypt (since the password is encrypted) and send the page back.

As I said, I love how everything works on this so far.

I've been using it to build a API system for a MUD (text based MMO) editor that i'm building, this seems to be the only issue i'm having, is the basic authentication stuff.

so if you possibly had an example floating around that I could look over and glean information from, I would greatly appreciate it!

-Joshua

[Kaliumhexacyanoferrat]

Hey Joshua,

a web authentication flow allowing users to authenticate using a web form (and probably third party authentication providers such as Facebook or GitHub) is not available yet and to be implemented in #152.

I started implementation of this feature several times and discarded the approaches as it is not that easy to have al of those concerns separated while keeping the API as simple as possible. One would need to

• redirect the user to the login page if not authenticated (or not, if anonymous access is enabled)
• render the login page in a customizable way
• allow extension flows such as the registration process or password recovery
• introduce a generic session handling mechanism
• support OAuth / OpenID Connect flows for third party providers

I will put this on the roadmap for GenHTTP 7 as this issue bugs me for a long time, but currently there is no out-of-the-box way and at least the login form and some kind of session handling would need to be implemented manually.

Cheers
Andreas

[Kaliumhexacyanoferrat]

After reading your question again, I probably got it wrong the first time. As I understand, you would like to implement a custom way to verify incoming credentials via Basic Authentication using Bcrypt.

The documentation has an example for this:

securedContent.Authentication((user, password) => {
    // verify the username and password here
    // if the authentication fails, e.g. due to invalid password, return null
   return new BasicAuthenticationUser(user);
});

Using this snippet, the user is prompted by the browser for valid credentials until the server accepts them. As soon as valid credentials are entered, the inner handler will be invoked where you can access the user information like this:

var displayName = request.GetUser<IUser>()?.DisplayName;

Feel free to post some code snippet or a link to your current code so I can help you further.

[Rpgdudester]

Ok, what you told me worked out well (i felt like an idiot with that. I'm more of a php programmer and not as good of a c# one),
I was able to get some of the code working like the return new BasicAuthenticationUser(user) (which I think I wrote that right, if not, maybe you can give me a better idea).

You mentioned to return null if the authentication fails. I did try to return a null on here and the snippet below shows a resulting error.

Maybe you have some insight into that.

So far, I love how easily your code was to get going for my game, and how quickly I was able to get everything up and running and connected to my MUD code so thank you for that!!

• Joshua

[Kaliumhexacyanoferrat]

Ah, I will have a look on monday an come back to you.

[Kaliumhexacyanoferrat]

The authenticator is defined as Func<string, string, ValueTask<IUser?>>, so if you are not using async/await here, you need to return a new ValueTask<IUser>().

[Rpgdudester]

Ok, that makes sense. Thanks for everything!!!

…

Sent from my iPhone On Mar 28, 2022, at 4:06 AM, Andreas Nägeli ***@***.***> wrote:  The authenticator is defined as Func<string, string, ValueTask<IUser?>>, so if you are not using async/await here, you need to return a new ValueTask<IUser>(). — Reply to this email directly, view it on GitHub<#281 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKUNOFSGPCWQFMYOTQLBLD3VCFZAFANCNFSM5RS6LTCA>. You are receiving this because you authored the thread.Message ID: ***@***.***>