[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Artanis] Using #:auth to Authenticate a User

From: Jonathan Schmeling
Subject: Re: [Artanis] Using #:auth to Authenticate a User
Date: Thu, 13 Sep 2018 01:54:20 +0000

On 09/12/2018 01:01 PM, Nala Ginrut wrote:
Jonathan Schmeling writes:

In ice-9/boot-9.scm:
    829:9  3 (catch artanis-err #<procedure 5578813493e0 at artanis…> …)
In unknown file:
           2 (_ #<procedure 557881350b60 at artanis/page.scm:86:6 ()> …)
In app/controllers/sign-in.scm:
    27:18  1 (_ #<route-context handler: #<procedure 7fc6faae67e0 at…>)
In unknown file:
           0 (string=? "e5f58613c328a069892ad68fe98002b559fa6d75526…" …)
In procedure string=: Wrong type argument in position 2 (expecting string): #f
HTTP 500
Captured in </tmp/artanis-0.2.5/artanis/server/ragnarok.scm>
Threw in procedure handle-request :
[REASON] Internal ERROR wrong-type-arg (string= Wrong type argument in position ~A (expecting ~A): ~S (2 string #f) (#f))!
[SERVER ERROR] Internal error from server-side, rendering a 500 page for client ...

due to comparing what's drawn from the database to #f (I assume since I'm not properly passing the data to be compared to the endpoint so it's defaulting to false).

Could you try the latest code from git repo? There're lot of fixed since
0.2.5, at lease 150 commits.

Hmm; I thought I had, relatively recently (like, within two weeks from today). 'Also could be my memory; I'll rebuild it.

But I'm also, likely, confused about the HMAC function portion, as well.

I thought the general way to handle passwords were, when users sign up, you add a salt to the password, hash the whole thing, and then save the result and the salt in the database so you don't save the password in the database directly.

Yes, exactly.

But #:auth seems to grab the password and salt columns from the database…and then append the two together and run them from the HMAC/hash function. Which seems to be the result of what I'd expect.

In authentication, the proper way is to fetch the random salt string from
DB, then append to the user provided passwd, then run HMAC/hash, then
compare the result to the stored hashed passwd.

That's what I figured. But the example given in the doc.s is

(post "/auth" #:auth '(table user "user" "passwd") #:session #t

so I figured that the provided "user" and "passwd" designated the names of the columns containing the username and the stored-hashed-password, respectively. And then Artanis would take the user-provided-password (however that gets passed; 'still not sure how to do it) and feed that to the HMAC function's password parameter and the salt from the database to the HMAC function's salt parameter and compare the result to the stored-hashed-password gotten from the database.

But, instead, it looks like it's the stored-hashed-password in the database that's getting passed to the HMAC function. In the previous error response:

In unknown file:
           0 (string=? "e5f58613c328a069892ad68fe98002b559fa6d75526…" …)

I'm assuming that the comparison to #f is because I'm not properly passing the password back but, more over, I'm not sure where that "e5f…" value is coming from. As I mentioned in my previous E-mail I though it was because the HMAC function was using the stored-hashed-password instead of the user-provided-password but that String doesn't match what my HMAC function returns if I pass the user-provided-password I'm using or the stored-hashed-password to it. I even changed the values in the table, since last time, and the error is still showing that "e5f…" String.

I'm not doing anythign particularly crazy with my POST endpoint:

(post "/auth" #:auth `(table PEOPLE "NAME" "PASSWORD" "SALT" ,(lambda (passwd salt)
                                                                (string->sha-512 (format #f "~a-~a" passwd salt))))
              #:session #t
              (lambda (rc)
                 [(:session rc 'check) (redirect-to rc "/sign-in/logged")]
                 [(:auth    rc)        (:session rc 'spawn)
                                       (redirect-to rc "/sign-in/success")]
                 [else                 (redirect-to rc "/sign-in/shoot")])))

And the form's just

<FORM action="" method="post">
  <LABEL for="">

  <INPUT type="text" placeholder="Enter Username" name="user" required>

  <LABEL for="">

  <INPUT type="password" placeholder="Enter Password" name="passwd" required>

  <BUTTON type="submit">

Hopefully that helps make what I'm working with clearer.


I'm at a loss so any clarification would be great!


GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058

reply via email to

[Prev in Thread] Current Thread [Next in Thread]