1

APP SID Validation

Topic: APP SID Validation

Hi,

Is there any API available to validate the SID ( sid query string value passedalong while clicking the APP from wialon hosting/local website )

We are planning to host multiple APP's in our web server and these APP's will be invoked by the users using Wialon Hosting/Local websites, while clicking the App Sid also coming along with the App Url - My question is in what way it can be useful for me to authorize the incoming web request from our web server using that sid so that I can allow authorized requests alone to my webserver  ?

For example I want to allow App web requests from those IP 's on which the App is getting invoked so that I can eliminate the possibility of sharing the URL along with the SID to multiple unknown clients which will become a threat to the server.

Thanks in advance.

2

APP SID Validation

Re: APP SID Validation

karthik, do You want to deny (allow) for some users accessing Your apps?
If so and also Your app is based on Wialon SDK (JS) - in initSession function there is optional parameter checkService:

initSession(String baseUrl, String appDns, Integer sessionFlags, String checkService, String version)

You can pass there service name (app name) to check. If this app is denied in user's account - login will not work.

Head of Wialon Local Department
Gurtam
3

APP SID Validation

(edited by karthik 05/08/2016 19:29:37)

Re: APP SID Validation

Thanks for the reply Deal,

Let me explain it little deeper now, consider the belwo scenario

1. I logged in to Wialon hosting site and clicking the Apps button and invoking my custom App, which will open another browser instance and render my app which is running in our own webserver.

2. Along with the APP URL I am also getting the Sid from the parent browser which is running the wialon hosting website

3. Now using the Sid can I authorize the webrequest coming to our web server via Wialon SDK API's ? I am using JavaScript API from the wialon sdk inside our App

4. For example If someone copy the URL along with the sid and shared to  other person and if the other guy tries to launch the App from different IP I want to block those requests.

5. The IP on which the APP is launched is eligible to use my App but not from other IP's, can I use the Sid to validate anything from the SDK JavaScript API ?

6. Also using the Sid Can I use any JavaScript API in my App which pulls some Unit specific data directly without calling the login API ? In other words whether Sid carries any context to my APP or it only meaningful to Wialon Web server ? then what is the use of passing the Sid to the APP ?

I hope I am explaining thing properly here, If it is confusing let me know I will try to rephrase it. 

Thanks in advance.

4

APP SID Validation

Re: APP SID Validation

karthik, try to use authHash option for Your app.
Authorization hash will be created and passed to Your app when it is opened.
Authorization hash can be used to create copy of session from any IP.
Login to Wialon using loginAuthHash function in Your app and get new sid, that will work for this IP.

As for sid itself - it will only work for requests from the same IP. That's why You don't have to worry about blocking third parties to Your app.
As for AuthHash - it can be used only once after creation.

Head of Wialon Local Department
Gurtam
5

APP SID Validation

Re: APP SID Validation

Thanks for the reply Deal.

I tried your solution but still I was able to access the APP by copying the URL and pasting it from different IP and the APP is still working without any authorization error which is my concern here.

Let me explain the steps I did

1. Passed the sid and authhash from my published App via querystring ( I made these changes via AppConfigurator from CMS )
2. Now my App will get the authHash from the querystring and login via "loginAuthHash" JS API
3. From that IP and session I was able to query different data using JS API which is good and correct
4. Now I copied the URL along with all the querystring and pasted from a different Server (IP of this server will be different )
5. Instead of authorization error I was able to query and get information from wialon server using JS API's from different IP's simultaneously
6. Both my Server1 with IP1 and Server2 with IP2 was able to query wialon API successfully
7. Server1 with IP1 was legitimate to use my APP but not Server2 with IP2
8. Js API loginAuthHash() was not throwing any authorization error if I use it multiple times with the same authHash which is contradicting.

Am I doing anything wrong here Or I need to implement any authorization logic from my webserver which is hosting the APP ?

I shared the Server1 and Server2 screenshot for your reference

Please explain how to enforce authorization checks properly so that URL copy & paste access can be eliminated completely.

Thanks in advance.

6

APP SID Validation

Re: APP SID Validation

karthik, after login via loginAuthHash remove from query string authHash parameter (make redirect to app with only sid).

Head of Wialon Local Department
Gurtam
7

APP SID Validation

Re: APP SID Validation

karthik, authHash can't be used twice. Try to test such steps in Your app:
1. Get new sid using loginAuthHash and authHash from query string. Ignore sid in query string.
2. Make all requests using new sid.
3. In Your app with different IP old authHash won't work as it was already used.
Profit.

Head of Wialon Local Department
Gurtam
8

APP SID Validation

Re: APP SID Validation

Thanks Deal,

I will try your recommendation one more time and will confirm whether it is working or not !!!