Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API to pass and retrieve hashed SIP password #353

Closed
ibc opened this issue Jan 15, 2016 · 9 comments
Assignees
Labels
Milestone

Comments

@ibc
Copy link
Member

@ibc ibc commented Jan 15, 2016

Goal:

  1. Pass uri and clear password as always.
  2. Add ua.getHashedPassword() that retrieves HA1=MD5(username:realm:password) (so we need to also set the realm somehow...
  3. Allow UA to be provided with uri and ha1Password instead of plain password.

@jmillan any concern about this?

@ibc ibc added the enhancement label Jan 15, 2016
@ibc ibc self-assigned this Jan 15, 2016
@ibc ibc added this to the 0.7.X milestone Jan 15, 2016
@saghul

This comment has been minimized.

Copy link
Contributor

@saghul saghul commented Jan 15, 2016

FWIW, me likey. I'd make the real optional, and set it to the domain by default. Asterisk uses 'asterisk' by default as the realm, so people may want to change it.

@ibc

This comment has been minimized.

Copy link
Member Author

@ibc ibc commented Jan 15, 2016

OK, so in practice we would want a new realm configuration param that would just be used when ha1Password is also provided, agreed?

let ua = new JsSIP.UA({
    uri: 'sip:alice@atlanta.com',
    password: '1234fuckmeeasy'
});

and:

let ua = new JsSIP.UA({
    uri: 'sip:alice@atlanta.com',
    realm: 'asterisk',  // optional, if not set defaults to "atlanta.com"
    ha1Password: 'iwudkasjhdk234asd'
});
@ibc

This comment has been minimized.

Copy link
Member Author

@ibc ibc commented Jan 15, 2016

NOTE FOR ME: once first authentication is done, the UA should delete the clear SIP password from its internal configuration object and automatically set the ha1Password and realm fields. In this way the lifetime of the clear password would be reduced (between UA creation and first successful authentication).

CONS: rare use case in which the server requires a late authentication with a new realm... In that case the auth would just fail, but we can live with it IMHO. Thoughts?

@murillo128

This comment has been minimized.

Copy link

@murillo128 murillo128 commented Jan 15, 2016

My two cents, in some weird cases, authentication info could be different than sip info, maybe something like this is could be useful:

let ua = new JsSIP.UA({
    username: 'alice@bar.com',
    auth: {
             username: 'alice',
             realm: 'foo.com',
             ha1Password: 'iwudkasjhdk234asd'
   }
});
@ibc

This comment has been minimized.

Copy link
Member Author

@ibc ibc commented Jan 15, 2016

There is already a authorization_user param for that case.

Regarding parameters grouping, I like it, but better leave it for a new 0.8.x milestone so we don't break the current API and can add the feature exposed here in the current 0.7.x set of releases.

@saghul

This comment has been minimized.

Copy link
Contributor

@saghul saghul commented Jan 15, 2016

OK, so in practice we would want a new realm configuration param that would just be used when ha1Password is also provided, agreed?

let ua = new JsSIP.UA({
uri: 'sip:alice@atlanta.com',
password: '1234fuckmeeasy'
});

and:

let ua = new JsSIP.UA({
uri: 'sip:alice@atlanta.com',
real: 'asterisk', // optional, if not set defaults to "atlanta.com"
ha1Password: 'iwudkasjhdk234asd'
});

Assuming you mean "realm" 👍

@ibc

This comment has been minimized.

Copy link
Member Author

@ibc ibc commented Jan 15, 2016

Kill me.

@ibc ibc closed this in e50debc Feb 5, 2016
@ibc

This comment has been minimized.

Copy link
Member Author

@ibc ibc commented Feb 5, 2016

Done in master. Also note that, with this new feature and even if no ha1 & realm are given, JsSIP deletes the given plain SIP password from memory and, instead, stores the generated and validated ha1 among with the resulting realm.

UA class also exposes new methods (configuration setters and getters):

  • ua.get(property): property can be realm / ha1 (useful for the app to store them in local storage and don't ask the user for the plain SIP password anymore).
  • ua.set(property, value): property can be password / realm / ha1.
@jmillan

This comment has been minimized.

Copy link
Member

@jmillan jmillan commented Feb 5, 2016

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.