Usuarios y sesiones

Sessions

When scalable sessions are enabled (recommended), REST requests can create and use web user sessions, providing extra features such as multiple requests handling, data sharing between web client processes, and control of user privileges.

Cuando se abre una sesión de usuario web, puede manejarla a través del objeto Session y la Session API. Las siguientes peticiones REST reutilizan la misma cookie de sesión.

A session is opened after the user was successfully logged (see below).

• On 4D Server, opening a REST session requires that a free 4D client license is available.
  
• En 4D monopuesto, puede abrir hasta tres sesiones REST para realizar pruebas.

Forzar el modo de inicio de sesión

Compatibilidad

The legacy login mode based upon the On REST Authentication database method is deprecated as of 4D 20 R6. It is now recommended to use the force login mode (automatically enabled in new projects) and to implement the ds.authentify() function. In converted projects, a button in the Settings dialog box will help you upgrade your configuration. In Qodly Studio for 4D, the mode can be set using the Force login option in the Privileges panel.

La secuencia de inicio de sesión del usuario es la siguiente:

1. At the first REST call (for a webform call for example), a "guest" web user session is created. It has no privileges, no rights to execute requests other than descriptive REST requests, no license consumption.
   Descriptive REST requests are always processed by the server, even if no web user session using a license is opened. En este caso, son procesados a través de sesiones "invitado".

2. You call your authentify() function (created beforehand), in which you check the user credentials and call Session.setPrivileges() with appropriate privileges. authentify() must be an exposed datastore class function.

3. La petición /rest/$catalog/authentify se envía al servidor junto con las credenciales del usuario. This step only requires a basic login form that do not access data; it can be a Qodly form (called via the /rest/$getWebForm request).

4. If the user is successfully authentified, a 4D license is consumed on the server and all REST requests are accepted.

En la fase de inicio de sesión del usuario, el uso de la licencia está desconectado de las sesiones de usuario web. A license is required only when the Session.setPrivileges() is executed, allowing you to control the number of used licenses.

All other REST requests (handling data or executing a function) will only be processed if they are executed within a web session with appropriate privileges, otherwise they return an error. To assign privileges to a web session, you need to execute the Session.setPrivileges() function for the session. Ejecutar esta función activa el consumo de la licencia 4D.

Peticiones REST descriptivas

Descriptive REST requests can be processed in web user sessions that do not require licenses ("guest" sessions). Estas peticiones son:

• /rest/$catalog requests (e.g. /rest/$catalog/$all) - access to available dataclasses
• /rest/$catalog/authentify - la función del almacén de datos utilizada para iniciar sesión del usuario
• /rest/$getWebForm - la renderización de un formulario Qodly

Function authentify

Sintaxis

exposed Function authentify({params : type}) {-> result : type}
	// code

The authentify() function must be implemented in the DataStore class of the project and must be called through a REST request.

This function is the only available entry point from REST guest sessions when the "force login" mode is enabled: any other function call or data access is rejected until the session acquires appropriate privileges.

nota

The authentify() function can always be executed by a REST guest session, whatever the roles.json file configuration.

The function can receive any authentication or contextual information as parameter(s) and can return any value. Since this function can only be called from a REST request, parameters must be passed through the body of the POST request.

Esta función debe contener dos partes:

• algún código para identificar y autenticar al remitente de la petición REST,
• if the authentication is successful, a call to Session.setPrivileges() that assigns appropriate privileges to the session.

If the function does not call Session.setPrivileges(), no privileges are assigned, no license is consumed and subsequent non-descriptive REST requests are rejected.

Ejemplo

Sólo quiere conocer a los usuarios para abrir una sesión web en el servidor. Ha creado la siguiente función authentify() en la clase datastore:

exposed Function authentify($credentials : Object) : Text

var $users : cs.UsersSelection
var $user : cs.UsersEntity

$users:=ds.Users.query("name = :1"; $credentials.name)
$user:=$users.first()

If ($user#Null) //the user is known
	If (Verify password hash($credentials.password; $user.password))
		Session.setPrivileges("vip")
	Else

		return "Wrong password"
	End if
Else
        return "Wrong user"
End if

Para llamar a la función authentify():

POST 127.0.0.1:8111/rest/$catalog/authentify

Cuerpo de la petición:

[{"name":"Henry",
"password":"123"}]