JWT


JSON Web Token is better than session ID in authorization:
For each sessionID, no need to ask authenticator if it’s valid.
No need for the authenticator’s private key; only public key needed.
Sample flow, e.g. stackoverflow using gmail for authentication.
Browser sends user gmail credential to google, google create JWT with validation period and sign with private key.
Browser send the JWT to stackoverflow, who decodes the JWT and verify signature with google public key, check validation date for authorization.

About the test page: http://riowing.net/watch/static/jwt.htm
The payload is coded as “{‘iss’: ‘issRio’, ‘sub’: ‘subTestJWTValid1Min’, ‘exp’: expEpocCurrentDate}”
Click Decode in two seconds after clicking Encode as the token is only valid for 2 seconds.

Verification:
Asymmetric: RS256, as in this test page, private key: “BEGIN RSA PRIVATE KEY…”. public key: “BEGIN PUBLIC KEY…”
Symmetric: HS256, same secret for both authentication and authorization, e.g. “mysecret”

Tools needed:
$ pip install pyjwt bottle
tested with Python 2.7.15

Download: http://riowing.net/p/jwt.tar
Web server with JWT handling: jwtMy.py web.py
jwt.pem: private key
jwt.pub: public key

Jwt1

Web Authentication BA


Out of the two standard authentication, BA and JWT, first comes BA.
BA: HTTP Basic Auth: user name and password in HTTP header, over both http and https
pro: simple, direct supported by nginx
con: unlike session ID, it cannot expire the credential, like user log out

config nginx:
create password file: sudo htpasswd -c htpasswd test and answer eg mypass when asked for password
htpasswd is in apt-get install apache2-utils
nginx.conf: add this line for the location that needs password protection, e.g.
location /secretFolder
auth_basic_user_file /somepass/htpasswd;
The http header that contains the credential literally looks like this:
Authorization: Basic dGVzdDpteXBhc3M= which is base64 of test:mypass

To test it:
wget.exe –user test –password NeedCurrentPassword http://riowing.net/sec/a.txt
or IE go to http://riowing.net/sec/a.txt

BA

Static function in BrightScript


There is no static keyword.
For example, myPoster is component name, which has a function called posterFunc, which is listed in interface section.
posterFunc can be called in two ways:

static way: posterFunc({calleePara: “calleeParaStaticMain”})
when not called from main.brs, e.g from MainScene.brs, MainScene.xml have to list myPoster.brs in script section.
myPoster.brs cannot have init() since init is to initialize object.
when called by main.brs, presence of init doesn’t cause error, but m.var = invalid referenced in posterFunc regardless init.

non-static way: poster.callFunc(“posterFunc”, {calleePara: “calleeParaNonStaticMainBeforeShow”})
no need to list myPoster.brs in .xml file
if called by main, poster = CreateObject(“roSGNode”, “myPoster”) has to be after screen.show()

Console output:
Main entered
CallFuncStaticWay calling posterFunc
myPoster::posterFunc passed in params= =
{
calleepara: "calleeParaStaticMain"
} , m.var=invalid
screen.show called
CallFuncNonStaticWay poster.callFunc-posterFunc
myPoster::posterFunc passed in params= =
{
calleepara: "calleeParaNonStaticMainBeforeShow"
} , m.var=mVarVal

Source code is here: http://riowing.net/p/AppNameStaticFunc.zip

cramfs


A open source readonly file system. I tried it on both desktop linux and embedded linux.

Making the tools to desktop to get mkcramfs and cramfsck. for embedded, I use prebuild proprietary tools with the same file name.
Download from https://sourceforge.net/projects/cramfs
Build: just unzip and run make. zlib1g-dev needed
Creating cramfs image:
desktop: $mkcramfs myFolderToBeInImage/ cramfsImageDesktop
embedded: run proprietary mkcramfs in the same way, output image is called cramfsImageDev

Verifying the image:
$cramfsck -v cramfsImageDesktop
output look like this: d 0777 20 1000:232 root
f 0666 91 1000:232 root/test.txt
cramfsImageDesktop: OK
make sure not to mix the tools and images bwtween desktop and embedded, since their superblock magic can be different.
on desktop, image starts with bytes 453d cd28. on embeded, it could be 473d cd28, and accordingly, CRC is re-calculated.
Command $file cramfsImageDesktop can also be helpful

Mout it:
sudo mount -t cramfs -r -o loop cramfsImageDesktop /mnt/tmp_mnt/
or use cramfsImageDev if running on embedded

Firmware image and cramfs image can be confusing. cramfs runs directly from flash without loading to RAM, and therefore used by embedded firmware.
Firmware image includes uboot, kernel, rootfs cramfs image, usually in this order. I found imgARMcC in the fw image.
Firmware image is usually proprietary, and writen out and loaded by proprietary bootloader.