[SIP Beyond VoIP] Sylkserver - authentication against an IMAP server
Tijmen de Mes
tijmen at ag-projects.com
Fri Aug 21 11:09:47 CEST 2020
Sorry for getting back so late. I finally have some time to integrate the patch, but I have some questions about the python part.
- Is there any reason you put the config in auth.ini and not include it in webrtcgateway.ini?
- How is account_info.auth_type set if you don’t enable external auth? AFAIS it is not, so my guess would be that send_register in janus.py is false in this case..
> Op 20 mei 2020, om 15:09 heeft Valentin Kleibel <valentin at vrvis.at> het volgende geschreven:
> Hi Tijmen,
> I agree that a server side cofiguration without any special config on the client would be a nice and convenient solution but I'm not sure if this would have implications for the confidentiality of the password.
> Anyways it would be more time consuming and I figured it would be out of reach for me, as someone from outside the project, to try to achieve this.
> Thank you for working with me and I will gladly take the time if you would like to talk about further ideas.
> You can merge the changes any way you'd like. It would be nice to have my name somewhere in the commit message maybe.
> Best regards,
> On 5/20/20 9:11 AM, Tijmen de Mes wrote:
>> Hi Valentin,
>> Thanks for changing it. It looks better now.
>> I still need to check the python part and will get back to you about it.
>> However on the long term, I don’t think selecting an authentication method based on the domain is a very good way. Instead, authentication methods should be only configured in the server and the client should ‘know’ what is supported and do the right thing (ha1 or not). If I find some time in the future, I will probably change it like that. Meanwhile, if the python part is OK we can probably start with your changes.
>> How do you want your changes merged? Do you want to preserve authorship and should I use you’re name and email as the author, or is it fine if I just merge the changes if they are all OK?
>> Best regards,
>> Tijmen de Mes
>> AG Projects
>>> Op 11 mei 2020, om 18:34 heeft Valentin Kleibel <valentin at vrvis.at> het volgende geschreven:
>>> Hi Tijmen,
>>> Thanks for checking the patch and pointing out the issues in our proposed default configuration. It has been changed, the config entry nonSipDomains has been renamed and is now an empty array by default.
>>> Attached you find the changed patch which has also been rebased and the current master on github (commit ff94d00008).
>>> Please excuse the long response time.
>>> On 29/04/2020 14.29, Tijmen de Mes wrote:
>>>> Hi Valentin,
>>>> I looked first at the patch to sylk-webrtc and I have some questions.
>>>> If I understand the patch correctly the following is happening:
>>>> First you check if the account contains an ‘@‘ sign, if it does, you split it and check if the domain is in the config.nonSipDomain. Then you set ha1 to false.
>>>> If this is how it works, then option.ha1 will always be set to false, since you set the defaultDomain to the nonSipDomain in the config.
>>>> So I guess the logic needs to change slightly to handle this. Also if the config variable is meant to hold multiple domains, I would call it nonSipDomains.
>>>>> Op 7 apr. 2020, om 16:40 heeft Valentin Kleibel <valentin at vrvis.at> het volgende geschreven:
>>>>> Thanks for your comments on the code. We've done some work based on them.
>>>>>> Unless you have a modified client like yours, this server add-on is kind of useless because it only works for you. We do not want to always send the password in clear text over the web socket, as you require. So if you build a client to use IMAP and you can as well build the server and maintain it yourself.
>>>>> We totally agree that sending the plaintext password over ws is a inferior solution if you use sip. unfortunately, to implement any other authentication without even more changes, we need this. therefore we create a configurable client and sylkrtc.js which by default sends ha1 but can be changed to send plain passwords. see patches sylkrtc-ha1-conditional.patch and sylk-webrtc-ha1-conditional.patch.
>>>>> Those don't change the default code path and can be used independently of each other if you want to send ha1.
>>>>>> Regarding the patch itself, it is blocking. If the IMAP server is not responding, the whole application is stuck. You should figure out an async way todo the IMAP authentication so that is non-blocking. If you do this, we may add this functionality to the main server code with some comments about where. To download the modified client.
>>>>> We have also written a patch for a non-blocking imap authentication.
>>>>> The authentication itself is in a separate auth.py which also facilitates to implement other authentication methods.
>>>>> What is your opinion on this approach?
>>>>> SIPBeyondVoIP mailing list
>>>>> SIPBeyondVoIP at lists.ag-projects.com
>>>> SIPBeyondVoIP mailing list
>>>> SIPBeyondVoIP at lists.ag-projects.com
>>> SIPBeyondVoIP mailing list
>>> SIPBeyondVoIP at lists.ag-projects.com
>> SIPBeyondVoIP mailing list
>> SIPBeyondVoIP at lists.ag-projects.com
> SIPBeyondVoIP mailing list
> SIPBeyondVoIP at lists.ag-projects.com
More information about the SIPBeyondVoIP