updates

Author: Telemechanics

JSON-File-Server/README.md

@@ -1,30 +1,107 @@
-# WebDAV and Web File Server With User Database and ACL
+# Authentication and Authorization Example
 
-This document includes the example 2 source code for the [How to Create a Cloud Storage Server Tutorial](https://makoserver.net/articles/How-to-Create-a-Cloud-Storage-Server#udb). This example is compatible with any [BAS](https://realtimelogic.com/products/barracuda-application-server/) derivative product with a file system, including the Mako Server and Xedge32.
+This example shows how to enable both authentication and authorization using an Access Control List (ACL). The **Barracuda App Server (BAS)** provides several API functions for managing authentication and, optionally, authorization. See the [authenticator documentation](https://realtimelogic.com/ba/doc/en/lua/lua.html#auth_overview) for details.
 
-Run the example, using the Mako Server, as follows:
+## Authentication vs. Authorization
 
-```
+- **Authentication** verifies the identity of a user.
+- **Authorization** determines what resources a user can access after authentication.
+
+While applications may implement their own ACL directly, this example utilizes both authentication and authorization APIs provided by BAS. We use the easy-to-use **[JSON Authenticator](https://realtimelogic.com/ba/doc/en/lua/lua.html#ba_create_jsonuser)**, which includes an optional authorizer that assigns permissions based on the following:
+- The authenticated user
+- A predefined set of URIs
+- The HTTP method used
+
+## File Server Integration
+
+This example applies the combined authenticator and authorizer to a **[File Server object](https://realtimelogic.com/ba/doc/en/lua/lua.html#ba_create_wfs)**, which integrates:
+- **WebDAV**, enabling file management through WebDAV clients.
+- **Web File Manager**, allowing users to browse and manage files through a web interface.
+
+For details on using WebDAV, refer to the tutorial [How to Create a Cloud Storage Server](https://makoserver.net/articles/How-to-Create-a-Cloud-Storage-Server).
+
+**Note:** The **JSON Authenticator** is not restricted to use with a **File Server** object. It can also be used in standard web applications, offering an easy to implement authentication mechanism. Additionally, its built-in authorization capabilities provide a convenient way to manage access control within your application.
+
+
+## User Database and ACL Configuration
+
+The user database and ACL setup are also covered in the tutorial **How to Create a Cloud Storage**, section **[Creating a User Database](https://makoserver.net/articles/How-to-Create-a-Cloud-Storage-Server#udb)**.
+
+To keep the example concise, user credentials and ACL rules are **hardcoded** within the [.preload](www/.preload) script.
+
+## Authentication and Authorization
+
+### HTTP Digest Authentication
+
+This example uses **[HTTP Digest Authentication](https://realtimelogic.com/ba/doc/en/authentication.html#authtypes)**, which prompts users for credentials via a browser pop-up. Note that:
+- Browsers **cache** the HTTP credentials until they are completely closed.
+- Some browsers may keep processes in memory even after closing all windows, retaining authentication.
+
+### Hardcoded User Credentials
+
+The following credentials are preconfigured in this example:
+
+| Username | Password |
+|----------|----------|
+| guest    | guest    |
+| kids     | kids     |
+| mom      | mom      |
+| dad      | dad      |
+
+
+### Server-Side Authentication via request:login()
+
+This example also shows how to use the [request:login()](https://realtimelogic.com/ba/doc/en/lua/lua.html#request_login) method, which allows server-side code to authenticate a user without relying on **HTTP authentication** or the web-based authentication mechanisms provided by **BAS**. This method is designed for integrating authentication systems not natively supported by the server, such as **[Single Sign-On](../fs-sso/README.md) (SSO)** or **WebAuthn**.
+
+#### Using `request:login()` with an Authorizer
+
+In this example, `request:login()` is used alongside an **authorizer**. When an authorizer is enabled:
+- `request:login()` **must** be called with valid user credentials.
+- Attempting to log in without arguments or with a non-existent user will be denied.
+
+The `index.lsp` page demonstrates this by allowing authentication with the registered users: **mom, dad, kids, and guest**. It also provides options to:
+- Attempt authentication with `nil` (Lua's equivalent of "no value").
+- Logging in as an unregistered user.
+
+When using an unregistered user, authentication succeeds, but the authorizer **blocks access** and returns a "No Access" message.
+
+#### Testing Without an Authorizer
+
+The included `mako.conf` file contains a setting that is read by the `.preload` script. This setting allows you to **disable the authorizer** for testing purposes. Without an authorizer, `request:login()` grants access to the protected **File Server** resource regardless of the username provided.
+
+
+
+
+## How to Use the Example
+
+This example is designed to run on the **[Mako Server](https://makoserver.net/download/overview/)**. To start the example, navigate to the project directory and launch the server with the following command:
+
+```sh
 cd JSON-File-Server
 mako -l::www
 ```
 
 For detailed instructions on starting the Mako Server, please refer to our [Mako Server command line video tutorial](https://youtu.be/vwQ52ZC5RRg) and review the [server's command line options](https://realtimelogic.com/ba/doc/?url=Mako.html#loadapp) in our documentation.
 
-Once you've successfully started the Mako Server, open a web browser and go to http://localhost:portno/fs/, where 'portno' represents the HTTP port number used by the Mako Server (this number is displayed in the console).
+Once you have successfully started the Mako Server, open a web browser and navigate to http://localhost:portno, where 'portno' represents the HTTP port number used by the Mako Server (this number is displayed in the console).
 
-To access the system, use the following login credentials:
+On this page, you can:
+- **Access the File Server** at `fs/` and log in using **HTTP Digest Authentication**.
+- **Test `request:login()`** to authenticate users programmatically.
 
-| Username | Password |
-|----------|----------|
-| guest    | guest |
-| kids     | kids |
-| mom      | mom |
-| dad      | dad |
+Try the different login methods and observe how authentication works. When using **HTTP Digest Authentication**, the browser's login dialog will prompt for credentials - enter one of the **usernames and passwords** [listed above](#hardcoded-user-credentials).
 
-For guidance on how to map the WebDAV drive, watch this instructional video: https://youtu.be/i5ubScGwUOc
+After testing the login methods, stop the server and open [mako.conf](mako.conf) in an editor, remove the comment to disable the authorizer, and re-start the server.
 
-Please be aware that this application does not contain any web pages or resources except for the WebDAV/file-server installed at /fs/. Additional information can be found in the www/.preload Lua script.
+## Files in the `www` Directory
 
+- **`.preload`** - The [.preload startup script](https://realtimelogic.com/ba/doc/en/Mako.html#preload) configures the **authenticator** and **authorizer** using hardcoded values. It initializes a **File Server instance** and integrates it into the **[Virtual File System](https://realtimelogic.com/ba/doc/en/VirtualFileSystem.html) (VFS)**. Additionally, the script sets up a directory structure on your hard drive for use by the File Server.
 
+- **`index.lsp`** - Provides navigation options:
+  - Access the **File Server** at `fs/` and log in using **Digest Authentication**.
+  - Authenticate using `request:login()`.
+  - If already authenticated, accessing this page will redirect you to `logout.lsp`.
 
+- **`logout.lsp`** - Handles user logout:
+  - Logs the user out and redirects the users back to `index.lsp`, except for those using **Digest Authentication** (due to browser-based credential caching).
+  - Displays additional logout-related details when not redirected.

JSON-File-Server/mako.conf

@@ -0,0 +1,3 @@
+
+-- Remove comment below to disable
+-- authorize=false

JSON-File-Server/www/.preload

@@ -27,6 +27,7 @@ local maxUploads = mako and 200 or 10 -- Assume resource constr. if not mako
 local maxLocks=100
 require"wfs" -- install ba.create.wfs
 local fsdir=ba.create.wfs("fs",10,wdio,ldir,maxUploads,maxLocks)
+fsdir:configure{logouturi=dir:baseuri().."logout.lsp"}
 fsdir:insert() -- Insert as a root node with name 'fs' in the VFS
 
 -- Create the user db with the users: guest, kids, dad, and mom.
@@ -70,8 +71,15 @@ authuser:set(createUserDB())
 local authenticator=ba.create.authenticator(authuser)
 
 -- Create the authorizer and install the constraints.
-local authorizer=authuser:authorizer()
-authorizer:set(createConstraints())
+local authorizer
+local authorize = false ~= require"loadconf".authorize or false
+if authorize then
+   authorizer=authuser:authorizer()
+   authorizer:set(createConstraints())
+   trace"Installing authorizer"
+else
+   trace"Authorizer not installed!!!"
+end
 
 -- Install the authenticator and the ACL
 fsdir:setauth(authenticator,authorizer)

JSON-File-Server/www/index.lsp

@@ -0,0 +1,88 @@
+
+<?lsp
+
+if request:user() then
+   response:sendredirect"logout.lsp"
+end
+
+local username=request:data"username"
+if username and "POST" == request:method() then
+   if "nil" == username then
+     username=nil
+     trace"Setting username to nil"
+   end
+   trace(string.format("Auto logging in using the username '%s'",username))
+   if request:login(username) then
+      response:sendredirect"fs/"
+   else
+      trace"Cannot login"
+      response:sendredirect""
+   end
+end
+?>
+
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Auto Login</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+            background-color: #f4f4f4;
+        }
+        .login-container {
+            background: white;
+            padding: 20px;
+            border-radius: 10px;
+            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
+            text-align: center;
+        }
+        select, button {
+            padding: 10px;
+            margin-top: 10px;
+            font-size: 16px;
+        }
+        li{
+            list-style: none;
+            text-align: left;
+           margin-bottom:5px;
+
+        } 
+        li::before{ 
+            content: "\1F882";
+
+        }
+        li
+    </style>
+</head>
+<body>
+    <div class="login-container">
+        <h2>Two Login Options:</h2>
+        <ul>
+            <li><a href="fs/">Navigate to the File Server</a> and log in using HTTP Digest Authentication</li>
+            <li>Select a user below to auto-login via <code>request:login(username)</code></li>
+        </ul>
+
+        <h2>Auto Login</h2>
+        <form method="POST" action="">
+            <select id="userSelect" name="username">
+                <option value="mom">Mom</option>
+                <option value="dad">Dad</option>
+                <option value="kids">Kids</option>
+                <option value="guest">Guest</option>
+                <option value="anonymous">Anonymous</option>
+                <option value="nil">(nil)</option>
+            </select>
+            <br>
+            <button type="submit">Login</button>
+        </form>
+    </div>
+</body>
+</html>

JSON-File-Server/www/logout.lsp

@@ -0,0 +1,48 @@
+<?lsp
+
+local user,_,authtype=request:user()
+
+request:logout(true)
+
+trace("Authenticator type:", "?" == authtype and "request:login()" or authtype)
+
+if not user or "digest" ~= authtype then
+   response:sendredirect"./"
+end
+
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Cannot Log Out</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+            background-color: #f4f4f4;
+        }
+        .message-container {
+            background: white;
+            padding: 20px;
+            border-radius: 10px;
+            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
+            max-width:500px;
+        }
+        h2{text-align: center;}
+    </style>
+</head>
+<body>
+    <div class="message-container">
+        <h2>Cannot Log Out</h2>
+        <p>You are using HTTP Digest Authentication and logged in as '<?lsp=user?>'. Even though you have been logged out on the server side, your browser will automatically re-authenticate when you navigate back to the <a href="fs/">File Server</a>.</p>
+        <p>HTTP authentication credentials are cached by your browser until you fully close all browser windows. Be aware that some browsers may remain in memory even after all visible windows are closed.</p>
+<p>You can return to the <a href="./">main index page</a> and log in using the auto-login option. Additionally, you can switch users by selecting a different auto-login option, instantly assuming their identity. Automatic HTTP authentication occurs only when accessing the File Server while not already logged in on the server side.</p>
+    </div>
+</body>
+</html>
+

fs-sso/README.md

@@ -36,7 +36,7 @@ Follow these steps to configure your application in the Azure portal:
 5.  Set the account type to **Single tenant** (in most cases).
 6.  Click on **Select a platform** and choose **Web**.
 7.  For the redirect URI, include all relevant sites (e.g., test sites).
-    For testing purposes, you can use `http://localhost`.
+    For testing purposes, you can use `http://localhost`. For deployment, see [Redirect URI Requirements](#redirect-uri-requirements).
 8.  Click **Register** at the bottom of the page.
 9.  On the following page, copy and save both the **Application (client)
     ID** and the **Directory (tenant) ID**.
@@ -252,3 +252,9 @@ sso = ssoModule.init(openid, login [, log])
       - `nil, errorMessage, errorCodes`
          + **errorMessage:** A string detailing the error, which can be presented to the user.
          + **errorCodes:** An array of [error codes](https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes) returned by MS Entra. The index.lsp example page manages the two error codes 7000215 and 7000222 related to invalid client secret.
+
+## Redirect URI Requirements
+
+For testing purposes, using HTTP on `localhost` is acceptable. However, in real-world deployments, MS Entra mandates using HTTPS to redirect URI. This requirement ensures that all communications are securely encrypted and that sensitive authentication tokens remain protected during transmission.
+
+When deploying your product/device in a production environment, you must ensure that your web server is configured to use HTTPS and, more importantly, that the browser trusts the server certificate. One option is to use a technology like [SharkTrust](https://realtimelogic.com/services/SharkTrust/), which provides DNS and trusted certificates specifically designed for Intranet web servers. Alternatively, you can implement a similar solution that offers trusted certificate management for your Intranet deployment environment.