INTERACT FORUM

Windows => Third Party Plug-ins, Programs, and Skins => Topic started by: jmone on April 08, 2016, 07:13:46 pm

Title: MCWS Authentication Qs
Post by: jmone on April 08, 2016, 07:13:46 pm

Can I clarify how MCWS Authentication works (been working with Steve on his Amazon Echo integration and we are (or I am) confused)?

I see in the Activity Log different behavious pending what is connecting to the Library Server, eg:
- Library Server Clients issue an initial "GET: http://192.168.xxx.xxx:52199/MCWS/v1/Authenticate" and then POSTS / GETS after that with no Token

- If I use a Local Web Session I get a Initial Logon box but don't see an "Authentication" event in MC but straight to a page like
GET: http://localhost:52199/MCWS/v1/doc with no Token

- In my scripts (see below for how I call them), I get a pair of activities but no "Authenticate" when I make calls
GET: http://127.0.0.1:52199/MCWS/v1/File/CreateParticle?File=3497052&FileType=Key&Count=1   0 bytes   0:00.000
GET: http://127.0.0.1:52199/MCWS/v1/File/CreateParticle?File=3497052&FileType=Key&Count=1   129 bytes   0:00.007

- Steve's Amazon Echo Integration however seems to require issuing these calls to be able to connect from over the Interweb
GET: http://122.xxx.xxx.xxx:52199/MCWS/v1/Authenticate
GET: http://122.xxx.xxx.xxx:52199/MCWS/v1/Files/Search?Query=[Album]=top&Token=8DigitCode&Zone=-1&ZoneType=ID&Fields=Album%20Artist%20(auto),Album

So a few Q:
- If Steve issues an Authenticate up front do you need the "Token" in the subsequent calls (or is this call required to get a Token)
- What is the Token that is being used?  It is an 8 Digit Token that is not the same as my 6 Digit "Access Key" - eg is it a one time token for that session and does it matter that it is in the clear? 
- Under what circumstance do you need to include a Token in calls
- For my scripts do I care that a see a Pair of Calls (the first one is always 0 Bytes, the Second with Data)

Thanks
Nathan

PS - Here is the code I use in my scripts

Code: [Select]

  WinHTTP := ComObjCreate("WinHTTP.WinHttpRequest.5.1")
  ComObjError(false)
  WinHTTP.Open("GET", MC_Call)
  WinHTTP.SetCredentials(MC_UserName,MC_Password,0)
  WinHTTP.SetRequestHeader("Content-type", "application/x-www-form-urlencoded")
  Body = ""
  WinHTTP.Send(Body)
  Result := WinHTTP.ResponseText
  Status := WinHTTP.Status

Title: Re: MCWS Authentication Qs
Post by: Hendrik on April 09, 2016, 08:35:09 am

MCWS supports two ways to authenticate, either by using a Token, or using HTTP authentication (ie. the login box the browser shows). Your browser will then store the login information and just keep sending it on any subsequent request, so you only get it once in a session.
This is also what MC Clients do, they check the credentials once using the Authenticate call, and if they are accepted they keep sending them with every request otherwise in the HTTP headers.

So in short, you need to provide some sort of authentication with every request if the server requires auth. Either a Token, or a HTTP Authorization header.
Tokens are generated for your client specifically and IIRC are also tied to the IP address of the request, and a certain lifetime, so they expire if not used for a while (although the timeout is relatively long).

Title: Re: MCWS Authentication Qs
Post by: jmone on April 09, 2016, 05:03:07 pm

Perfect Explanation - thanks Hendrik

Title: Re: MCWS Authentication Qs
Post by: sarkonovich on April 09, 2016, 06:58:13 pm

Yes, thanks!

Steve