Suggestions on creating a user authentication system.
-
From the aforementioned methods I believe digest authentication would be a good solution for me. In fact I started to do something similar right before I read your answer. I discovered botan that seems to be able to encrypt passwords. Unfortunately after trying to use it (by just including botan.h in a test project it threw a bunch of errors.)
If by framework you mean what I used to create the server, then nothing. Its a purely Qt server.
The idea behind this project was that I would have an app that will store some data not on the local machine but on a remote server. Offering something like cloud functionality, in order to back up or share data.
Having this in mind I created the server. It works fine until now, accepting requests and answering with the correct templates as needed. So being at this point it makes sense to add some sort of authentication or else the user data will be open to anybody.
-
Did you consider using Qt Cloud Services ? Following your description, they provide what you need
-
Yes I do know about Qt Cloud Services. A while ago i did some tests with that too, and also tried uploading my server to a MAR instance but failed during compilation.
Wouldn't I still need to develop the login system though?
They offer the space and database for me to use, but I believe it is up to me to actually implement what I want in one of the languages they support.EDIT
I did a simple test with QCryptographicHash using
QByteArray result = hash1->hash(myPass.toLatin1(), QCryptographicHash::Sha3_512);
I have no idea if SHA3 is good enough to depend upon though.
My other alternative would be using bcrypt
That I do know is quite a secure algorithm.And of curse I would have to modify the server to use SSL right?
EDIT2
I did also some test with bcrypt and it seems to be working fine.Before I continue implementing this, just to be sure, what I am supposed to do is :
get the users password (through a secure connection),
read that value in my server,
hash it, and compare it with the value on my database,
and I'm done. -
It's rather: establish a secure connection to your server, that's simple: make it only accept https connection. Then you need to send the credential from your client to your server and do the checks
-
I guess you are right, establishing a secure connection is very important, but
I originally did my server only using http, following the various Qt examples. So now I found it hard to make it use https.
Qt's example on a secure connection did not help me very much because my servers architecture is a little bit different and that example is not... flexible to change I would say.
Someone here in the forums recommended this, from which I learned a great deal of things but it is using simple http, as most of the servers I have seen in Qt. -
For the connection encryption setup, see QSslSocket
-
How are you creating it ?
-
I have a 'Listener' class that is subclassing QTcpServer
class Listener : public QTcpServer { ...
It is using a worker
class NewConnectionHandler : public QThread { ...
In this worker class I provide a socket for the server to use in each new connection
moveToThread(this); QFile certFile(QStringLiteral("./certificate/testC.cer")); QFile keyFile(QStringLiteral("./certificate/testR.pem")); certFile.open(QIODevice::ReadOnly); keyFile.open(QIODevice::ReadOnly); QSslCertificate certificate(&certFile, QSsl::Pem); QSslKey sslKey(&keyFile, QSsl::Rsa, QSsl::Pem); certFile.close(); keyFile.close(); sslSocket.moveToThread(this); sslSocket.setLocalCertificate(certificate); sslSocket.setPrivateKey(sslKey); sslSocket.setProtocol(QSsl::TlsV1SslV3); sslSocket.startServerEncryption(); connect(&sslSocket, SIGNAL(readyRead()), SLOT(read())); connect(&sslSocket, SIGNAL(disconnected()), SLOT(disconnected())); connect(&readTimer, SIGNAL(timeout()), SLOT(readTimeout())); this->start();
This is pretty much what I am trying to do. The server is highly based from the one in the link I provided, and the one from VoidRealm's youtube video.
-
On what is the first moveToThread called ?
-
I use moveToThread for the ConnectionHandler class (
class NewConnectionHandler
) that takes care of creating a socket in the manner described above. I then return it to my listener class. It works for a TcpSocket, but if I try to alter it like above then it stops working. -
If you really want to use multithreading then have a look at the Threaded Fortune Server example