Is the Nx Cloud up? Visit our Status Page for the current health and performance of the Nx Cloud.

Status Page

Cookie-Based Authentication POST

Answered
Permanently deleted user

I'm writing an .NET application that uses HttpClient to connect to the API and retrieve video. 

The Documentation provided for "Cookie-based authentication" details the following to login:

  1. Call GET /api/getNonce
  2. In response you'll get a JSON object with realm and nonce (nonce is a session key for this user)
  3. Calculate authentication hash auth_digest, using realm and nonce (see algorithm below)
  4. Call POST /api/cookieLogin and pass the "auth" parameter in the json request body
  5. Server will check authentication and set session cookies

Which then expands on "Calculating Authentication Hash" with the following steps:

  • Call GET /api/getNonce
  • In response you'll get a JSON object with realm and nonce
  • Translate user's username to the lower case
  • Check the required method ("GET" for HTTP GET requests, "POST" for HTTP POST requests, "PLAY" for RTSP etc)
  • digest = md5_hex(user_name + ":" + realm + ":" + password)
  • partial_ha2 = md5_hex(method + ":")
  • simplified_ha2 = md5_hex(digest + ":" + nonce + ":" + partial_ha2)
  • auth_digest = base64(user_name + ":" + nonce + ":" + simplified_ha2)
  • Here auth_digest is the required authentication hash

Based on how the Authentication Hash Calculation is described, and the fact that you must POST the Authentication Hash to /api/cookieLogin, I would assume that the Method used when generating this hash would be "POST". However, this always results in a failure that indicates a bad username/password combination. After playing around with it for a while, I eventually found that if I POST an Authentication Hash to /api/cookieLogin that was generated with the string "GET" for the method, the request succeeds and a cookie is returned.

Is this the correct intended behavior? Requesting the nonce used to generate the hash is retrieved via a GET request, so is that the "method" that the instructions refer to? If so, would you ever make a "PLAY" (RTSP) request to getnonce so that the generated authentication hash would use "PLAY" for the method? 

Either the instructions are very misleading, or this is a bug and the /api/cookieLogin is not using the Request's Method when validating the Authentication Hash and is likely hardcoded to always use "GET". 

0

Comments

1 comment

Date Votes
  • Permanently deleted user
    Edited

    Hello Matt,

     

    I checked our codebase, and I confirm that /api/cookieLogin uses the method 'GET' for auth hash. 

    This is our discrepancy, we will update the documentation and consider supporting both GET and POST in the upcoming releases.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post