What's the correct procedure for setting up authentication with peer-to-peer replication on iOS/Mac?

[Brendan Duddridge]

Hi,

I have peer-to-peer syncing working between my Mac and iPhone app.

I've currently setup my app so the user can optionally setup a password that is used to provide authentication info to the CBLListener and CBLReplicator.

So there are two things I'm doing, one setting the username and password dictionary on the listener:

[self.syncListener setPasswords:@{self.documentID: self.syncPasswordFromKeychain}];

according to the docs, this also sets the requiresAuth flag too. And it is set when I check it.

and then generating a URL that has the username and password in it:

- (NSURL *)peerURLWithSSL:(BOOL)ssl {

NSURLComponents *components = [[NSURLComponents alloc] init];

components.scheme = (ssl ? @"https" : @"http");

components.host = self.service.hostName;

components.port = @(self.service.port);

components.path = [@"/" stringByAppendingString:self.databaseDocument.documentID];

if (self.databaseDocument.syncPasswordFromKeychain) {

components.user = self.databaseDocument.documentID;

components.password = self.databaseDocument.syncPasswordFromKeychain;

}

return components.URL;

}

However I'm not entirely sure how to validate the passwords so I can display an error letting the user know they require a valid password. I implemented the CBLListener delegate passwordForUser: but it never seems to get called. I've set my class as the delegate for the listener.

According to the documentation:

/** Authenticates a request that uses Basic or Digest authentication.

    If this method is not implemented, the `passwords` dictionary registered with the CBLListener

    is consulted instead. **/

I thought if I could implement that method then I could decide if I should show an error or not. Otherwise, I do have the passwords dictionary also set as above.

So anyway, if there's some guidance on using basic authentication that would be great. I have read the Wiki page on certificate authentication, but I've been trying to make it work with basic authentication over SSL.

I'm using the latest build from master.

Thanks,

Brendan

[Brendan Duddridge]

My issue may be related to a self-signed certificate that I setup for my listener.

According to CBLHTTPConnection, the method to determine if the listener is password protected is this:

- (BOOL)isPasswordProtected:(NSString *)path {

    return !_hasClientCert && self.listener.requiresAuth;

}

When I create my listener, I set this up:

BOOL success = [self.syncListener setAnonymousSSLIdentityWithLabel:@"tf-peer-sync" error:&error];

The header file of CBLListener states:

"this makes it less useful for identification, but it still provides encryption of the HTTP traffic." 

I do want encrypted traffic but I also want password authentication, which I hope should be secure enough as long as the traffic is going over SSL. But it would seem that you can't have password authentication if you also have encryption.

Am I understanding that correctly?

Thanks,

Brendan

[Jens Alfke]

On Jan 8, 2016, at 12:11 PM, Brendan Duddridge <bren...@gmail.com> wrote:

I do want encrypted traffic but I also want password authentication, which I hope should be secure enough as long as the traffic is going over SSL. But it would seem that you can't have password authentication if you also have encryption.

I think you’re mixing up client and server certs. The typical SSL connection uses a server cert. Client certs are less commonly used; the client provides one to authenticate itself to the server, in lieu of a password. That’s what the snippet you showed is checking for.

—Jens

[Brendan Duddridge]

Oh I see. So I guess I don't have a client certificate then. Still not sure why it's not attempting to login with a username and password when I set one though.

Thanks,

Brendan