Can I return a reason for failed authorisation?

#1

I’m using a JavaScript backend and I’m trying to throw an Error with a specific message when a user fails authorisation if their account had been locked for some reason (so that the app can give them a somewhat intelligent reason to contact help desk).

However, on a failed authorisation, Crossbar seems to only ever return:

{ reason: ‘wamp.error.authorization_failed’,

message: ‘Internal server error’,

… }

Is there any way to coax Crossbar (or maybe it’s Autobahn) into allow us to return an error code or similar that the browser can translate into a different message. I know there are security issues here with information disclosure but it’s a requirement coming from the customer.

Alternatively, can we lock out a connection/session in Crossbar itself?

Thanks in advance.

Regards,

Andrew Eddie

0 Likes

#2

Hi Eddie!

Using dynamic authentication (example at https://github.com/crossbario/crossbarexamples/tree/master/authenticate/wampcradynamic/nodejs), you can throw an error with a custom message (the “no such user” in “authenticator.js”).

Is this what you are looking for?

Regards,

Alex

···

Am Montag, 14. Dezember 2015 07:18:06 UTC+1 schrieb Andrew Eddie:

I’m using a JavaScript backend and I’m trying to throw an Error with a specific message when a user fails authorisation if their account had been locked for some reason (so that the app can give them a somewhat intelligent reason to contact help desk).

However, on a failed authorisation, Crossbar seems to only ever return:

{ reason: ‘wamp.error.authorization_failed’,

message: ‘Internal server error’,

… }

Is there any way to coax Crossbar (or maybe it’s Autobahn) into allow us to return an error code or similar that the browser can translate into a different message. I know there are security issues here with information disclosure but it’s a requirement coming from the customer.

Alternatively, can we lock out a connection/session in Crossbar itself?

Thanks in advance.

Regards,

Andrew Eddie

0 Likes

#3

Ok, it seems that Crossbar passes the message through if you throw a
String, but it doesn’t like you throwing an error. If I change the
authenticator to:

throw new Error(“no such user");

then crossbar returns:

Connection lost: closed { reason: 'wamp.error.runtime_error',

  message: '{}',

Regards,
Andrew Eddie

···

On 15 December 2015 at 02:55, Alexander Gödde <> wrote:

Using dynamic authentication (example at
https://github.com/crossbario/crossbarexamples/tree/master/authenticate/wampcradynamic/nodejs),
you can throw an error with a custom message (the "no such user" in
"authenticator.js").

Is this what you are looking for?

0 Likes

#4

So will this actually be a problem that Autobahn in not translating
the error into a form that Crossbar recognises?

Regards,
Andrew Eddie

0 Likes

#5

Using dynamic authentication (example at
https://github.com/crossbario/crossbarexamples/tree/master/authenticate/wampcradynamic/nodejs),
you can throw an error with a custom message (the "no such user" in
"authenticator.js").

Is this what you are looking for?

Ok, it seems that Crossbar passes the message through if you throw a
String, but it doesn’t like you throwing an error. If I change the
authenticator to:

throw new Error(“no such user");

try:

throw new Error("com.myapp.myerror", ["my user message"]);

https://github.com/crossbario/autobahn-js/blob/master/package/lib/session.js#L105

···

Am 17.12.2015 um 23:53 schrieb Andrew Eddie:

On 15 December 2015 at 02:55, Alexander Gödde <> wrote:

then crossbar returns:

Connection lost: closed { reason: 'wamp.error.runtime_error',

   message: '{}',

Regards,
Andrew Eddie

0 Likes