<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
<meta name="generator" content="AsciiDoc 8.6.6" />
<title>Introduction to Wt::Auth</title>
<link rel="stylesheet" href="./emweb.css" type="text/css" />
<link rel="stylesheet" href="./pygments.css" type="text/css" />
<script type="text/javascript" src="./asciidoc.js"></script>
<script type="text/javascript" src="./emweb.js"></script>
<script type="text/javascript">
/*<![CDATA[*/
asciidoc.install(2);
/*]]>*/
</script>
</head>
<body class="article">
<div id="header">
<h1>Introduction to Wt::Auth</h1>
<div id="toc">
<div id="toctitle">Table of Contents</div>
<noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
</div>
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph"><p>Koen Deforche <<a href="mailto:koen@emweb.be">koen@emweb.be</a>><br /></p></div>
<div class="paragraph"><p>For Wt 3.2.1 (March 16 2012)</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_prerequisites">1. Prerequisites</h2>
<div class="sectionbody">
<div class="paragraph"><p>In Wt 3.2.0, an authentication module was added to Wt. In this
tutorial, we use an example as a hands-on introduction to this
module. This example is included in the Wt distribution, in
<a href="https://github.com/kdeforche/wt/tree/master/examples/feature/auth1">examples/feature/auth1</a>.</p></div>
<div class="paragraph"><p>This introduction assumes that you have a reasonable understanding of
Wt itself, in particular it’s stateful session model and the widget
concept. If you haven’t done so yet, you may want to go through the
<a href="http://www.webtoolkit.eu/wt/doc/tutorial/wt.html">Wt tutorial</a> first.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_introduction">2. Introduction</h2>
<div class="sectionbody">
<div class="paragraph"><p>The authentication module implements the logic and widgets involved in
getting users registered on your application, and letting them sign
in. Note that this module is entirely optional, and simply implemented
on top of <a href="http://www.webtoolkit.eu/wt">Wt</a>.</p></div>
<div class="paragraph"><p>The module implements
<a href="http://en.wikipedia.org/wiki/Authentication">authentication</a>. Its main
purpose is to securely authenticate a user to sign in to your
application. From your application, you will interact with the
authentication module using a
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1Login.html">Wt::Auth::Login</a> object, which you
typically hold in your application object. It indicates the user
currently signed in (if any), and propagates authentication events.</p></div>
<div class="paragraph"><p>How you use this information for
<a href="http://en.wikipedia.org/wiki/Authorization">authorization</a> or to
customize the user experience is out of the scope of the
module. Because of Wt’s built-in security features, with strong
session hijacking mitigation, this is as straight forward as one can
conceive it.</p></div>
<div class="paragraph"><p>Currently, the module provides the following features, which can be
separately enabled, configured or customized:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>Password authentication</strong>, using
<a href="http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication">best
practices</a> including <a href="http://en.wikipedia.org/wiki/Salted_hash">salted
hashing</a> with strong cryptographic hash functions (such as
<a href="http://en.wikipedia.org/wiki/Bcrypt">bcrypt</a>) and password strength
checking.
</p>
</li>
<li>
<p>
<strong>Remember-me</strong> functionality, again using best practices, by
associating authentication tokens stored in cookies to a user.
</p>
</li>
<li>
<p>
<strong>Verified email addresses</strong> using the typical confirmation email
process.
</p>
</li>
<li>
<p>
<strong>Lost password functionality</strong> that uses the verified email address
to prompt a user to enter a new password.
</p>
</li>
<li>
<p>
Authentication using <strong>3rd party Identity Providers</strong>, currently using
<a href="http://oauth.net/2/">OAuth 2</a>, with support for multiple identities per
user. We’ve added an implementation using Google, but others will be
added, and in the future we may expect standardization using
OpenIDConnect.
</p>
</li>
<li>
<p>
<strong>Registration</strong> logic, which includes also the logic needed to merge
new (federated login) identities into existing user profiles. For
example, if a user previously registered using a user name and
password, he may later also authenticate using for example his Google
Account and this new identity is added to his existing account.
</p>
</li>
</ul></div>
<div class="paragraph"><p>The logic for these features is implemented separately from the
user-interface components, which can be customized or completely
replaced with your own widgets.</p></div>
<div class="paragraph"><p>Next to traditional password-based authentication, we’ve been careful
to have a design that accommodates 3rd party identity providers
(<a href="http://en.wikipedia.org/wiki/Federated_identity">federated login</a>)
such as Google, Twitter, Facebook, etc… and other authentication
mechanisms in general (authenticating
<a href="http://en.wikipedia.org/wiki/Reverse_proxy">reverse proxies</a>, client
SSL certificates, LDAP, token devices …).</p></div>
<div class="paragraph"><p>Federated login is a compelling proposition, but has currently not had
widespread success, because of usability issues and other problems,
including privacy concerns. There are a number of exciting
developments however which promise to resolve this:</p></div>
<div class="ulist"><ul>
<li>
<p>
<a href="http://openid.net/connect/">OpenIDConnect</a> is the much plagued
<a href="http://openid.net/">OpenID</a> protocol redone, but this time on top of
<a href="http://oauth.net/2/">OAuth2.0</a>, and aims to be the "open and
distributed" alternative to
<a href="http://developers.facebook.com/docs/guides/web/">Facebook Connect</a>. In
particular it solves the confusion of using URLs as identity, and
instead has moved on to email addresses. There is an auto-discovery
protocol that queries your email provider, and this should eliminate
most privacy concerns (because you do trust your email provider, don’t
you ?).
</p>
</li>
<li>
<p>
<a href="http://accountchooser.com/">AccountChooser</a> aims to provide a
consistent and universal method for users to sign in to
websites. Together with the use of the email address-as-identity this
might just work.
</p>
</li>
<li>
<p>
Implementing a usable federated login system is complex, and
increasingly so. Not only is the logic daunting
(<a href="http://sites.google.com/site/oauthgoog/UXFedLogin/loginlogic">account
linking</a> is one example), it also requires a good mix of Ajax-y
user-interface components, server-side logic and state with a protocol
that involves receiving and sending HTTP requests, and integration
into a traditional password-based authentication module. Well, we are
solving that ;-)
</p>
</li>
</ul></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">OAuth2.0, OpenIDConnect, and AccountChooser are currently draft
specifications. We plan to expand our support as these drafts turn
into endorsed specifications. In particular, it would be <em>a plan
coming together</em> when we add an <tt>AccountChooserWidget</tt> that
complements the current
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1AuthWidget.html">Wt::Auth::AuthWidget</a>
and
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1RegistrationWidget.html">Wt::Auth::RegistrationWidget</a>
classes and which allows users to authenticate with any email provider
using the OpenIDConnect discovery protocol.</td>
</tr></table>
</div>
<div class="paragraph"><p>Obviously, the authentication logic needs to talk to a storage system,
and it is designed to hook into a storage system using an abstract
interface. A default implementation that leverages
<a href="http://www.webtoolkit.eu/wt/doc/tutorial/dbo/tutorial.html">Wt::Dbo</a>,
Wt’s ORM, is provided.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_module_organization">3. Module organization</h2>
<div class="sectionbody">
<div class="paragraph"><p>The following picture illustrates the main classes of the module.</p></div>
<div class="imageblock" style="text-align:center;">
<div class="content">
<img src="img/auth.png" alt="img/auth.png" />
</div>
</div>
<div class="paragraph"><p>It uses a classical separation between Model classes and View classes
(which are the widgets).</p></div>
<div class="paragraph"><p>There are three types of model classes:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>Service classes</strong> are designed to be shared across all sessions
(they do not have any state besides configuration). They contain logic
which does not require transient state in a session.
</p>
</li>
<li>
<p>
<strong>Session bound</strong> model classes are usually kept in a session for the
entire lifetime of a session (but don’t need to be).
</p>
</li>
<li>
<p>
<strong>Transient</strong> model classes play an active role in the user-interface,
and are instantiated in the context of certain view components. They
implement logic which involves state while the user is progressing
through the login and registration process.
</p>
</li>
</ul></div>
</div>
</div>
<div class="sect1">
<h2 id="_example">4. Example</h2>
<div class="sectionbody">
<div class="paragraph"><p>We’ll walk through a small example which is a basic application that
uses the authentication module (included in the Wt distribution in
<a href="https://github.com/kdeforche/wt/tree/master/examples/feature/auth1">examples/feature/auth1</a>). It
is about 200 lines of C++ (which we’ll discuss below), and has the
following features:</p></div>
<div class="ulist"><ul>
<li>
<p>
Password-based authentication and registration
</p>
</li>
<li>
<p>
OAuth-2 login and registration, for Google Accounts
</p>
</li>
<li>
<p>
Password attempt throttling
</p>
</li>
<li>
<p>
Email verification and a lost password procedure
</p>
</li>
<li>
<p>
Remember-me tokens
</p>
</li>
<li>
<p>
And by virtue of Wt itself, falls back to plain HTML behavior if the
browser does not support Ajax, strong security, spam resilience,
etc…
</p>
</li>
</ul></div>
<div class="paragraph"><p>This example should help you to understand how to add authentication
support to a new or existing Wt project.</p></div>
<div class="sect2">
<h3 id="_setting_up_a_user_database">4.1. Setting up a user database</h3>
<div class="paragraph"><p>We will be using the default implementation for an authentication
database using <tt>Wt::Dbo</tt>, with the default persistence classes for
authentication. This database implementation is found in
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1Dbo_1_1UserDatabase.html">Wt::Auth::Dbo::UserDatabase</a>,
and it uses
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1Dbo_1_1AuthInfo.html">Wt::Auth::Dbo::AuthInfo</a>
as the persistence class for authentication information, which itself
references two other persistence classes:</p></div>
<div class="ulist"><ul>
<li>
<p>
A user’s <strong>"identities"</strong> are stored in a separate table. An identity
uniquely identifies a user. Traditionally, a user would have only a
single identity which is his login name (which could be his email
address). But a user may accumulate more identities, corresponding to
accounts with 3rd party identity providers. By allowing multiple
identities, the user may identify using a choice of methods.
</p>
</li>
<li>
<p>
<strong>Authentication tokens</strong> are stored in a separate table. An
authentication token usually corresponds to a "remember-me" cookie,
and a user may have multiple "remember-me" cookies when using
different computers.
</p>
</li>
</ul></div>
<div class="paragraph"><p>In addition, we define a <tt>User</tt> type to which we can add the
application data for a particular user (this could be address
information, birth date, preferences, user role, etc…), and which we
want to link up with the authentication system.</p></div>
<div class="paragraph"><p>The definition and persistence mapping for (a currently empty) User
type is as given below:</p></div>
<div class="listingblock">
<div class="title">User.h</div>
<div class="content"><div class="highlight"><pre><span class="cp">#include <Wt/Dbo></span>
<span class="cp">#include <Wt/WGlobal></span>
<span class="k">namespace</span> <span class="n">dbo</span> <span class="o">=</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Dbo</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">User</span><span class="p">;</span>
<span class="k">typedef</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">Dbo</span><span class="o">::</span><span class="n">AuthInfo</span><span class="o"><</span><span class="n">User</span><span class="o">></span> <span class="n">AuthInfo</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">User</span> <span class="p">{</span>
<span class="k">public</span><span class="o">:</span>
<span class="k">template</span><span class="o"><</span><span class="k">class</span> <span class="nc">Action</span><span class="o">></span>
<span class="kt">void</span> <span class="n">persist</span><span class="p">(</span><span class="n">Action</span><span class="o">&</span> <span class="n">a</span><span class="p">)</span>
<span class="p">{</span>
<span class="p">}</span>
<span class="p">};</span>
</pre></div></div></div>
<div class="paragraph"><p>We declare a typedef for <tt>AuthInfo</tt>, which links the authentication
information persistence class to our custom <tt>User</tt> information
persistence class.</p></div>
<div class="paragraph"><p>Next, we define a session class, which encapsulates the connection to
the database to store authentication information, and which also
tracks the user currently logged in, in a web session. We choose to
use the
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Dbo_1_1Session.html">Wt::Dbo::Session</a>
class as a base class (which could just as well be an embedded
member).</p></div>
<div class="paragraph"><p>Later on, we’ll see how each web session will instantiate its own
persistence/authentication <tt>Session</tt> object.</p></div>
<div class="listingblock">
<div class="title">Session.h</div>
<div class="content"><div class="highlight"><pre><span class="cp">#include <Wt/Dbo/Session></span>
<span class="cp">#include <Wt/Dbo/ptr></span>
<span class="cp">#include <Wt/Dbo/backend/Sqlite3></span>
<span class="cp">#include "User.h"</span>
<span class="k">namespace</span> <span class="n">dbo</span> <span class="o">=</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Dbo</span><span class="p">;</span>
<span class="k">typedef</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">Dbo</span><span class="o">::</span><span class="n">UserDatabase</span><span class="o"><</span><span class="n">AuthInfo</span><span class="o">></span> <span class="n">UserDatabase</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">Session</span> <span class="o">:</span> <span class="k">public</span> <span class="n">dbo</span><span class="o">::</span><span class="n">Session</span>
<span class="p">{</span>
<span class="k">public</span><span class="o">:</span>
<span class="n">Session</span><span class="p">(</span><span class="k">const</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&</span> <span class="n">sqliteDb</span><span class="p">);</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">AbstractUserDatabase</span><span class="o">&</span> <span class="n">users</span><span class="p">();</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">Login</span><span class="o">&</span> <span class="n">login</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="n">login_</span><span class="p">;</span> <span class="p">}</span>
<span class="p">...</span>
<span class="k">private</span><span class="o">:</span>
<span class="n">dbo</span><span class="o">::</span><span class="n">backend</span><span class="o">::</span><span class="n">Sqlite3</span> <span class="n">connection_</span><span class="p">;</span>
<span class="n">UserDatabase</span> <span class="o">*</span><span class="n">users_</span><span class="p">;</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">Login</span> <span class="n">login_</span><span class="p">;</span>
<span class="p">...</span>
<span class="p">};</span>
</pre></div></div></div>
<div class="paragraph"><p>Notice the typedef for <tt>UserDatabase</tt>, which states that we will be
using the
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1Dbo_1_1UserDatabase.html">Wt::Auth::Dbo::UserDatabase</a>
implementation using <tt>AuthInfo</tt>, for which we declared a typedef
earlier on. You are of course free to provide another implementation
for
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1AbstractUserDatabase.html">Wt::Auth::AbstractUserDatabase</a>
which is not based on <tt>Wt::Dbo</tt>.</p></div>
<div class="paragraph"><p>We also embed a
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1Login.html">Wt::Auth::Login</a>
member here, which is a small model class that holds the current login
information. The login/logout widgets will manipulate this login
object, while the rest of our application will listen to login changes
from this object to adapt to the user currently logged in.</p></div>
<div class="paragraph"><p>The <tt>Session</tt> constructor sets up the database session.</p></div>
<div class="listingblock">
<div class="title">Session.C (constructor)</div>
<div class="content"><div class="highlight"><pre><span class="cp">#include "Session.h"</span>
<span class="cp">#include "User.h"</span>
<span class="cp">#include "Wt/Auth/Dbo/AuthInfo"</span>
<span class="cp">#include "Wt/Auth/Dbo/UserDatabase"</span>
<span class="k">using</span> <span class="k">namespace</span> <span class="n">Wt</span><span class="p">;</span>
<span class="n">Session</span><span class="o">::</span><span class="n">Session</span><span class="p">(</span><span class="k">const</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">&</span> <span class="n">sqliteDb</span><span class="p">)</span>
<span class="o">:</span> <span class="n">connection_</span><span class="p">(</span><span class="n">sqliteDb</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">setConnection</span><span class="p">(</span><span class="n">connection_</span><span class="p">);</span>
<span class="n">mapClass</span><span class="o"><</span><span class="n">User</span><span class="o">></span><span class="p">(</span><span class="s">"user"</span><span class="p">);</span>
<span class="n">mapClass</span><span class="o"><</span><span class="n">AuthInfo</span><span class="o">></span><span class="p">(</span><span class="s">"auth_info"</span><span class="p">);</span>
<span class="n">mapClass</span><span class="o"><</span><span class="n">AuthInfo</span><span class="o">::</span><span class="n">AuthIdentityType</span><span class="o">></span><span class="p">(</span><span class="s">"auth_identity"</span><span class="p">);</span>
<span class="n">mapClass</span><span class="o"><</span><span class="n">AuthInfo</span><span class="o">::</span><span class="n">AuthTokenType</span><span class="o">></span><span class="p">(</span><span class="s">"auth_token"</span><span class="p">);</span>
<span class="k">try</span> <span class="p">{</span>
<span class="n">createTables</span><span class="p">();</span>
<span class="n">std</span><span class="o">::</span><span class="n">cerr</span> <span class="o"><<</span> <span class="s">"Created database."</span> <span class="o"><<</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span>
<span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">exception</span><span class="o">&</span> <span class="n">e</span><span class="p">)</span> <span class="p">{</span>
<span class="n">std</span><span class="o">::</span><span class="n">cerr</span> <span class="o"><<</span> <span class="n">e</span><span class="p">.</span><span class="n">what</span><span class="p">()</span> <span class="o"><<</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span>
<span class="n">std</span><span class="o">::</span><span class="n">cerr</span> <span class="o"><<</span> <span class="s">"Using existing database"</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">users_</span> <span class="o">=</span> <span class="k">new</span> <span class="n">UserDatabase</span><span class="p">(</span><span class="o">*</span><span class="k">this</span><span class="p">);</span>
<span class="p">}</span>
</pre></div></div></div>
<div class="paragraph"><p>The example uses a SQLite3 database (a cuddly database convenient for
development), and we map four persistence classes to tables.</p></div>
<div class="paragraph"><p>We then create the data schema if needed, which will automatically
issue the following SQL:</p></div>
<div class="listingblock">
<div class="content"><div class="highlight"><pre><span class="k">create</span> <span class="k">table</span> <span class="ss">"user"</span> <span class="p">(</span>
<span class="ss">"id"</span> <span class="nb">integer</span> <span class="k">primary</span> <span class="k">key</span> <span class="n">autoincrement</span><span class="p">,</span>
<span class="ss">"version"</span> <span class="nb">integer</span> <span class="k">not</span> <span class="k">null</span>
<span class="p">)</span>
<span class="k">create</span> <span class="k">table</span> <span class="ss">"auth_info"</span> <span class="p">(</span>
<span class="ss">"id"</span> <span class="nb">integer</span> <span class="k">primary</span> <span class="k">key</span> <span class="n">autoincrement</span><span class="p">,</span>
<span class="ss">"version"</span> <span class="nb">integer</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"user_id"</span> <span class="nb">bigint</span><span class="p">,</span>
<span class="ss">"password_hash"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"password_method"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">20</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"password_salt"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">20</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"status"</span> <span class="nb">integer</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"failed_login_attempts"</span> <span class="nb">integer</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"last_login_attempt"</span> <span class="nb">text</span><span class="p">,</span>
<span class="ss">"email"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">256</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"unverified_email"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">256</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"email_token"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"email_token_expires"</span> <span class="nb">text</span><span class="p">,</span>
<span class="ss">"email_token_role"</span> <span class="nb">integer</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="k">constraint</span> <span class="ss">"fk_auth_info_user"</span> <span class="k">foreign</span> <span class="k">key</span>
<span class="p">(</span><span class="ss">"user_id"</span><span class="p">)</span> <span class="k">references</span> <span class="ss">"user"</span> <span class="p">(</span><span class="ss">"id"</span><span class="p">)</span>
<span class="p">)</span>
<span class="k">create</span> <span class="k">table</span> <span class="ss">"auth_token"</span> <span class="p">(</span>
<span class="ss">"id"</span> <span class="nb">integer</span> <span class="k">primary</span> <span class="k">key</span> <span class="n">autoincrement</span><span class="p">,</span>
<span class="ss">"version"</span> <span class="nb">integer</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"auth_info_id"</span> <span class="nb">bigint</span><span class="p">,</span>
<span class="ss">"value"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"expires"</span> <span class="nb">text</span><span class="p">,</span>
<span class="k">constraint</span> <span class="ss">"fk_auth_token_auth_info"</span> <span class="k">foreign</span> <span class="k">key</span>
<span class="p">(</span><span class="ss">"auth_info_id"</span><span class="p">)</span> <span class="k">references</span> <span class="ss">"auth_info"</span> <span class="p">(</span><span class="ss">"id"</span><span class="p">)</span>
<span class="p">)</span>
<span class="k">create</span> <span class="k">table</span> <span class="ss">"auth_identity"</span> <span class="p">(</span>
<span class="ss">"id"</span> <span class="nb">integer</span> <span class="k">primary</span> <span class="k">key</span> <span class="n">autoincrement</span><span class="p">,</span>
<span class="ss">"version"</span> <span class="nb">integer</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"auth_info_id"</span> <span class="nb">bigint</span><span class="p">,</span>
<span class="ss">"provider"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="ss">"identity"</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">512</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span>
<span class="k">constraint</span> <span class="ss">"fk_auth_identity_auth_info"</span> <span class="k">foreign</span> <span class="k">key</span>
<span class="p">(</span><span class="ss">"auth_info_id"</span><span class="p">)</span> <span class="k">references</span> <span class="ss">"auth_info"</span> <span class="p">(</span><span class="ss">"id"</span><span class="p">)</span>
<span class="p">)</span>
</pre></div></div></div>
<div class="paragraph"><p>Notice the <tt>auth_info</tt>, <tt>auth_token</tt> and <tt>auth_identity</tt> tables that
define the storage for our authentication system.</p></div>
</div>
<div class="sect2">
<h3 id="_configuring_authentication">4.2. Configuring authentication</h3>
<div class="paragraph"><p>The service classes
(<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1AuthService.html">Wt::Auth::AuthService</a>,
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1PasswordService.html">Wt::Auth::PasswordService</a>,
and
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1OAuthService.html">Wt::Auth::OAuthService</a>),
can be shared between sessions and contain the configuration and logic
which does not require transient session state.</p></div>
<div class="paragraph"><p>A good location to add these service classes are inside a specialized
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1WServer.html">Wt::WServer</a>
instance, of which you usually also have only one in a Wt process. You
could also create a singleton for them. To keep the example simple, we
will declare them simply as global variables (but within file scope):
<tt>myAuthService</tt>, <tt>myPasswordService</tt>, and <tt>myOAuth</tt>.</p></div>
<div class="listingblock">
<div class="title">Session.C (authentication services)</div>
<div class="content"><div class="highlight"><pre><span class="cp">#include "Wt/Auth/AuthService"</span>
<span class="cp">#include "Wt/Auth/HashFunction"</span>
<span class="cp">#include "Wt/Auth/PasswordService"</span>
<span class="cp">#include "Wt/Auth/PasswordStrengthValidator"</span>
<span class="cp">#include "Wt/Auth/PasswordVerifier"</span>
<span class="cp">#include "Wt/Auth/GoogleService"</span>
<span class="k">namespace</span> <span class="p">{</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">AuthService</span> <span class="n">myAuthService</span><span class="p">;</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">PasswordService</span> <span class="n">myPasswordService</span><span class="p">(</span><span class="n">myAuthService</span><span class="p">);</span>
<span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o"><</span><span class="k">const</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">OAuthService</span> <span class="o">*></span> <span class="n">myOAuth</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="n">Session</span><span class="o">::</span><span class="n">configureAuth</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">myAuthService</span><span class="p">.</span><span class="n">setAuthTokensEnabled</span><span class="p">(</span><span class="kc">true</span><span class="p">,</span> <span class="s">"logincookie"</span><span class="p">);</span>
<span class="n">myAuthService</span><span class="p">.</span><span class="n">setEmailVerificationEnabled</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">PasswordVerifier</span> <span class="o">*</span><span class="n">verifier</span> <span class="o">=</span> <span class="k">new</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">PasswordVerifier</span><span class="p">();</span>
<span class="n">verifier</span><span class="o">-></span><span class="n">addHashFunction</span><span class="p">(</span><span class="k">new</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">BCryptHashFunction</span><span class="p">(</span><span class="mi">7</span><span class="p">));</span>
<span class="n">myPasswordService</span><span class="p">.</span><span class="n">setVerifier</span><span class="p">(</span><span class="n">verifier</span><span class="p">);</span>
<span class="n">myPasswordService</span><span class="p">.</span><span class="n">setAttemptThrottlingEnabled</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span>
<span class="n">myPasswordService</span><span class="p">.</span><span class="n">setStrengthValidator</span><span class="p">(</span><span class="k">new</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">PasswordStrengthValidator</span><span class="p">());</span>
<span class="k">if</span> <span class="p">(</span><span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">GoogleService</span><span class="o">::</span><span class="n">configured</span><span class="p">())</span>
<span class="n">myOAuthServices</span><span class="p">.</span><span class="n">push_back</span><span class="p">(</span><span class="k">new</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">GoogleService</span><span class="p">(</span><span class="n">myAuthService</span><span class="p">));</span>
<span class="p">}</span>
<span class="k">const</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">AuthService</span><span class="o">&</span> <span class="n">Session</span><span class="o">::</span><span class="n">auth</span><span class="p">()</span>
<span class="p">{</span>
<span class="k">return</span> <span class="n">myBaseAuth</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">const</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">PasswordService</span><span class="o">&</span> <span class="n">Session</span><span class="o">::</span><span class="n">passwordAuth</span><span class="p">()</span>
<span class="p">{</span>
<span class="k">return</span> <span class="n">myPasswords</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">const</span> <span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o"><</span><span class="k">const</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">OAuthService</span> <span class="o">*>&</span> <span class="n">Session</span><span class="o">::</span><span class="n">oAuth</span><span class="p">()</span>
<span class="p">{</span>
<span class="k">return</span> <span class="n">myOAuth</span><span class="p">;</span>
<span class="p">}</span>
</pre></div></div></div>
<div class="paragraph"><p>The <a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1AuthService.html">Wt::Auth::AuthService</a>
is configured to support "remember-me" functionality, and email
verification.</p></div>
<div class="paragraph"><p>The
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1PasswordService.html">Wt::Auth::PasswordService</a>
needs a hash function to safely store passwords. You can actually
define more than one hash function, which is useful only if you want
to migrate to a new hash function while still supporting existing
passwords. When a user logs in, and he is not using the "preferred"
hash function, his password will be rehashed with the preferred
one. In this example, we will use
<a href="http://en.wikipedia.org/wiki/Bcrypt">bcrypt</a> which is included as a
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1HashFunction.html">hash
function</a> in Wt::Auth.</p></div>
<div class="paragraph"><p>We also enable password attempt throttling: this mitigates brute force
password guessing attempts.</p></div>
<div class="paragraph"><p>Finally, we also use one (but later, perhaps more)
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1OAuthService.html">Wt::Auth::OAuthService</a>
classes. You need one service per identity provider. Until
OpenIDConnect is supported by most providers, each provider requires a
proprietary method to access identity information using the authorized
OAuth2.0 token. In this case, we only add Google as an identity
provider.</p></div>
</div>
<div class="sect2">
<h3 id="_the_user_interface">4.3. The user interface</h3>
<div class="paragraph"><p>We create a specialized
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1WApplication.html">Wt::WApplication</a>
which contains our authentication session, and instantiates a
<a href="http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1Auth_1_1AuthWidget.html">Wt::Auth::AuthWidget</a>. This
widget shows a login or logout form (depending on the login status),
and also hooks into default forms for registration, lost passwords,
and handling of email-sent tokens in URLs).</p></div>
<div class="listingblock">
<div class="title">User interface</div>
<div class="content"><div class="highlight"><pre><span class="cp">#include <Wt/WApplication></span>
<span class="cp">#include <Wt/WContainerWidget></span>
<span class="cp">#include <Wt/WServer></span>
<span class="cp">#include <Wt/Auth/AuthWidget></span>
<span class="cp">#include <Wt/Auth/PasswordService></span>
<span class="cp">#include "model/Session.h"</span>
<span class="k">class</span> <span class="nc">AuthApplication</span> <span class="o">:</span> <span class="k">public</span> <span class="n">Wt</span><span class="o">::</span><span class="n">WApplication</span>
<span class="p">{</span>
<span class="k">public</span><span class="o">:</span>
<span class="n">AuthApplication</span><span class="p">(</span><span class="k">const</span> <span class="n">Wt</span><span class="o">::</span><span class="n">WEnvironment</span><span class="o">&</span> <span class="n">env</span><span class="p">)</span>
<span class="o">:</span> <span class="n">Wt</span><span class="o">::</span><span class="n">WApplication</span><span class="p">(</span><span class="n">env</span><span class="p">),</span>
<span class="n">session_</span><span class="p">(</span><span class="n">appRoot</span><span class="p">()</span> <span class="o">+</span> <span class="s">"auth.db"</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">session_</span><span class="p">.</span><span class="n">login</span><span class="p">().</span><span class="n">changed</span><span class="p">().</span><span class="n">connect</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="o">&</span><span class="n">AuthApplication</span><span class="o">::</span><span class="n">authEvent</span><span class="p">);</span>
<span class="n">useStyleSheet</span><span class="p">(</span><span class="s">"css/style.css"</span><span class="p">);</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">AuthWidget</span> <span class="o">*</span><span class="n">authWidget</span>
<span class="o">=</span> <span class="k">new</span> <span class="n">Wt</span><span class="o">::</span><span class="n">Auth</span><span class="o">::</span><span class="n">AuthWidget</span><span class="p">(</span><span class="n">Session</span><span class="o">::</span><span class="n">auth</span><span class="p">(),</span> <span class="n">session_</span><span class="p">.</span><span class="n">users</span><span class="p">(),</span>
<span class="n">session_</span><span class="p">.</span><span class="n">login</span><span class="p">());</span>
<span class="n">authWidget</span><span class="o">-></span><span class="n">model</span><span class="p">()</span><span class="o">-></span><span class="n">addPasswordAuth</span><span class="p">(</span><span class="o">&</span><span class="n">Session</span><span class="o">::</span><span class="n">passwordAuth</span><span class="p">());</span>
<span class="n">authWidget</span><span class="o">-></span><span class="n">model</span><span class="p">()</span><span class="o">-></span><span class="n">addOAuth</span><span class="p">(</span><span class="n">Session</span><span class="o">::</span><span class="n">oAuth</span><span class="p">());</span>
<span class="n">authWidget</span><span class="o">-></span><span class="n">setRegistrationEnabled</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span>
<span class="n">authWidget</span><span class="o">-></span><span class="n">processEnvironment</span><span class="p">();</span>
<span class="n">root</span><span class="p">()</span><span class="o">-></span><span class="n">addWidget</span><span class="p">(</span><span class="n">authWidget</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="n">authEvent</span><span class="p">()</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">session_</span><span class="p">.</span><span class="n">login</span><span class="p">().</span><span class="n">loggedIn</span><span class="p">())</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">log</span><span class="p">(</span><span class="s">"notice"</span><span class="p">)</span> <span class="o"><<</span> <span class="s">"User "</span> <span class="o"><<</span> <span class="n">session_</span><span class="p">.</span><span class="n">login</span><span class="p">().</span><span class="n">user</span><span class="p">().</span><span class="n">id</span><span class="p">()</span>
<span class="o"><<</span> <span class="s">" logged in."</span><span class="p">;</span>
<span class="k">else</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">log</span><span class="p">(</span><span class="s">"notice"</span><span class="p">)</span> <span class="o"><<</span> <span class="s">"User logged out."</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">private</span><span class="o">:</span>
<span class="n">Session</span> <span class="n">session_</span><span class="p">;</span>
<span class="p">};</span>
</pre></div></div></div>
<div class="paragraph"><p>The last part is our main function where setup the application server:</p></div>
<div class="listingblock">
<div class="title">Application server setup</div>
<div class="content"><div class="highlight"><pre><span class="n">Wt</span><span class="o">::</span><span class="n">WApplication</span> <span class="o">*</span><span class="n">createApplication</span><span class="p">(</span><span class="k">const</span> <span class="n">Wt</span><span class="o">::</span><span class="n">WEnvironment</span><span class="o">&</span> <span class="n">env</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">return</span> <span class="k">new</span> <span class="n">AuthApplication</span><span class="p">(</span><span class="n">env</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="n">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">try</span> <span class="p">{</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">WServer</span> <span class="n">server</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>
<span class="n">server</span><span class="p">.</span><span class="n">setServerConfiguration</span><span class="p">(</span><span class="n">argc</span><span class="p">,</span> <span class="n">argv</span><span class="p">,</span> <span class="n">WTHTTP_CONFIGURATION</span><span class="p">);</span>
<span class="n">server</span><span class="p">.</span><span class="n">addEntryPoint</span><span class="p">(</span><span class="n">Wt</span><span class="o">::</span><span class="n">Application</span><span class="p">,</span> <span class="n">createApplication</span><span class="p">);</span>
<span class="n">Session</span><span class="o">::</span><span class="n">configureAuth</span><span class="p">();</span>
<span class="k">if</span> <span class="p">(</span><span class="n">server</span><span class="p">.</span><span class="n">start</span><span class="p">())</span> <span class="p">{</span>
<span class="n">Wt</span><span class="o">::</span><span class="n">WServer</span><span class="o">::</span><span class="n">waitForShutdown</span><span class="p">();</span>
<span class="n">server</span><span class="p">.</span><span class="n">stop</span><span class="p">();</span>
<span class="p">}</span>
<span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">Wt</span><span class="o">::</span><span class="n">WServer</span><span class="o">::</span><span class="n">Exception</span><span class="o">&</span> <span class="n">e</span><span class="p">)</span> <span class="p">{</span>
<span class="n">std</span><span class="o">::</span><span class="n">cerr</span> <span class="o"><<</span> <span class="n">e</span><span class="p">.</span><span class="n">what</span><span class="p">()</span> <span class="o"><<</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span>
<span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">exception</span> <span class="o">&</span><span class="n">e</span><span class="p">)</span> <span class="p">{</span>
<span class="n">std</span><span class="o">::</span><span class="n">cerr</span> <span class="o"><<</span> <span class="s">"exception: "</span> <span class="o"><<</span> <span class="n">e</span><span class="p">.</span><span class="n">what</span><span class="p">()</span> <span class="o"><<</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div></div></div>
</div>
</div>
</div>
</div>
<div id="footnotes"><hr /></div>
<div id="footer">
<div id="footer-text">
Last updated 2012-03-16 17:28:06 CET
</div>
</div>
</body>
</html>
