Hi Nick, > On Jun 1, 2016, at 5:53 PM, Nick Kew <[email protected]> wrote: > > I've been running some M-Pin sessions capturing > and looking at the traffic between the Miracl > Javascript client and Python RP server. > > Among other things, I see repeated unsuccessful calls: > > POST /rps/accessnumber HTTP/1.1^M > ....
The unsuccessful calls are intentional although there is a place for
improvement by implementing HTTP Long-poll, Websockets or evene HTTP/2 instead
of periodically checks.
> Content-Type: text/plain;charset=UTF-8^M
> Cookie: mpindemo_session="..."^M
> ^M
> {"webOTT":"13468f969413889e287a69ddc526fef6"}
>
> (aside: that's JSON being sent as text/plain)
I think an issue should be raised in the javascript client. It seems it doesn't
send proper headers.
> Now the response to this is a 401, with other HTTP headers
> whose legitimacy might be in question, and no body:
>
> HTTP/1.1 401 Unauthorized^M
> Server: TornadoServer/4.1^M
> Www-Authenticate: Authenticate^M
The Python RPS server doesn't set and use that HTTP header (Www-Authenticate).
Probably it's something between you and the server. Please give more
information about the setup.
> [more]
>
> I guess the "Authenticate" value to WWW-Authenticate is handled
> by the Javascript, but shouldn't the browser itself be presented
> with something it knows? Conventional values are Basic or Digest
> (with appropriate parameters).
>
> What I'm seeing is what looks like "undefined" browser behaviour
> in response to an unknown WWW-Authenticate. That is to say, the
> browser sends off an identical request and receives an identical
> reply, repeated many times while slower human interaction takes
> place as I (successfully or otherwise) log in.
>
> Also, at no point in the interaction is there a successful
> call to /rps/accessnumber . Always 401 as above.
The successful response happens when you authenticate successfully with your
mobile client.
>
> How much of this is intentional, and why?
>
> --
> Nick Kew
>
Best,
Stanislav Mihaylov
signature.asc
Description: Message signed with OpenPGP using GPGMail
