cancel
Showing results for 
Search instead for 
Did you mean: 

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

POST URL, username, and password to Browser

I am looking to be able to POST the URL, username and password to the Browser to get it to seamlessly authenticate.

I should add that what I'm looking to achieve is to pass a JWT in the password which will be validated by a custom auth provider.

However, the Browser uses React and the login form, as far as I can tell, is just initializing the JS bolt connection internally within the JS runtime.

It does appear that there is some functionality in the E2E tests that might facilitate this with Cypress, but that looks like a test-time only solution.

The following is a GET, obviously, but it illustrates what I'm trying to achieve:

https://myserver:7473/browser?url=bolt://myserver:7687&username=jwt&password=jwttokenhere

8 REPLIES 8

Hi Rob (good to see your name come across!

This has been a super long time. Have you made progress here?

We used to sorta implement this with the Sandbox. We have a custom auth provider that validates JWTs. However, we passed the JWT into https://myserver:7473/ (which our proxy handled instead of passing that URL into Neo4j). On that page, we set the browser Local Storage objects with the credentials on that host, which were then picked up by the browser when we redirected to the browser.

To eliminate some complexity (old JWTs timing out etc), we changed to a model where the JWT token is still passed to a page on the root of the Neo4j host, but the JavaScript there makes an API call to retrieve the actual Neo4j credentials and do the same setting of Local Storage before a redirect-- but using the actual credentials.

PS Would love it if you could introduce yourself to the rest of the Neo4j team and community over in that forum: https://community.neo4j.com/c/general/introduce-yourself

Cheers,
-Ryan

d_murali
Node Link

@ryan.boyd, Can I get the code for above implementation.

Thanks for the response Ryan. This makes sense.

I think that if there was a url on the browser's HTTP(s) endpoint that accepted bolt URL, username, password, and a next URL, that a lot of this would be easier for customers.

The server could respond with nothing more than some javascript that sets the local storage in the browser, and then bounce along to the next page. It looks like simply writing the following JSON into the "neo4j.connections" local storage object would do the trick:

This could almost accomplished with an unmanaged server extension but I'm not sure if there is an option for those extensions to respond without authentication. Do you know if there is?

In any case, I think this would go a long way to making Neo4j more accessible inside an enterprise environment.

Have also considered writing an HTTP+BOLT proxy to facilitate all of this. I guess that's what you did for the Sandbox. Before BOLT came around, we did this for the HTTP(s) endpoint and it worked pretty well, since our app could decide whether to send the request to neo4j based on the session state that it already has. BOLT makes this a bit more complicated.

It looks like Nigel Small put a PoC for this together in python:

Hey Rob,

Just responded to @d.murali in another thread, but there is a way to pass in credentials for the browser.

Take a look here:

I haven't yet tried to do this with a JWT, but I don't see why it wouldn't work. Certainly would be more secure (due to time limitation) than passing a password.

As far as a proxy is concerned, we just use NGINX for the websocket proxying for the sandbox. This works for websocket bolt connections (used by the JavaScript driver), but doesn't seem to be functional for regular bolt connections from other Drivers. I haven't yet investigated why...

Cheers,
-Ryan

Is there any way to encrypt the password and send in the url query string.
Or authenticate it from/using Javascript by changing the session/localstorage.

In my requirement I would be navigating to the neo4j browser url from a reactjs application,
it would be better If there is a provision of authenticating it from a Javascript file.

No, there is going to be no way to encrypt it because the clientside code in Neo4j Browser has to send it to Neo4j server for queries.

Note: the Browser is intended as a developer tool and is focused on that for all functionality.

This works. Would be great if it worked with POST so that the query string isn't logged.

The server accepts the POST request, but it doesn't seem to process the value.

Simple enhancement would be very nice.

Rob

Browser is completely clientside, so couldn't support POST. Would have to implement a messaging protocol and whitelist authorize callers.