0

I am trying to authenticate user using FormLoginHandler and Postgresql Database with SqlAuthentication.

But I get the following error: Jun 15, 2022 1:14:34 PM io.vertx.ext.web.RoutingContext SEVERE: Unhandled exception in router io.vertx.ext.web.handler.HttpException: Unauthorized Caused by: io.vertx.core.impl.NoStackTraceThrowable: Invalid username/password

I am providing the right credentials.

The code snippet is:

SqlAuthenticationOptions sauthopts = new SqlAuthenticationOptions();

sauthopts.setAuthenticationQuery(AUTHENTICATE_QUERY);

SqlAuthentication authenticationProvider = SqlAuthentication.create(sqlClient, sauthopts);

router.route("/secure/*").handler(RedirectAuthHandler.create(authenticationProvider, "/login.html"));

FormLoginHandler formLoginHandler =  FormLoginHandler.create(authenticationProvider);

router.route("/loginhandler").handler(formLoginHandler);

Please let me know if I am missing something here; or point me to a sample example.

Thanks in Advance.

Lucas
  • 43
  • 5
  • Have you considered using the [Vertx postgresql client](https://vertx.io/docs/vertx-pg-client/java/#_connecting_to_postgresql)? – Tcheutchoua Steve Jun 15 '22 at 12:00
  • Yes Steve, I am using PgPool pgpool = PgPool.pool(vertx, pgconnopts, poolOpts); I overcame the issue as mentioned in my comment below. Thanks a lot for your time/help. – Lucas Jun 15 '22 at 15:28

1 Answers1

0

Your setup doesn't show anything abnormal at first sight. For security reasons, we cannot "just" log the authentication data, as it would be a critical OWASP bug and security vulnerability.

My best guess is that probably is something not totally correct with the query, so this means you have now 2 options:

  1. debug the application and see the query that is being sent + the arguments
  2. prepare a small complete example that shows the bug and open an issue in vert.x so we can debug it further.

If you're upgrading from an older version, be aware that in vert.x 4.2.0 some changes were made to the base64 encoding to keep it consistent across modules. This could be a reason why authentication could fail as the encoded hashes may be slightly different. If you're just doing 4.3.0 from the start, then this would not be a problem.

Paulo Lopes
  • 5,845
  • 22
  • 31
  • Thanks for quick response Paulo: I am using 4.3.1. I have pre-loaded the db with username/password in plain text. The issue that I traced was in SqlAuthenticationImpl class if (strategy.verify(hashedStoredPwd, authInfo.getPassword())) { ... This "if" condition expects hashedStoredPwd to be hashed in DB; so the auth fails here. I re-implemented like to make it work if (hashedStoredPwd.equals(authInfo.getPassword())) { ... I guess there should be an option to set HashingStrategy in SqlAuthenticationOptions - the user should use the same client to storing & verifying. – Lucas Jun 15 '22 at 15:22
  • ... The HashingStrategy options could be Plain(None) or one of the algos. Thanks again for the help. – Lucas Jun 15 '22 at 15:22
  • 1
    You should never store passwords in plaintext in a database. That is to prevent future trouble if your database is ever leaked. Instead, you should use the helper utility to hash your database: https://github.com/vert-x3/vertx-auth/blob/master/vertx-auth-sql-client/src/main/java/io/vertx/ext/auth/sqlclient/SqlUserUtil.java This utility will allow you to safely hash passwords, add users and roles to a database, as long as you're using the same config you will be using later to connect to the database. – Paulo Lopes Jun 20 '22 at 07:06