BR Forum

A discussion board for Business Rules! programming.
https://brforum.brulescorp.com/

MFA authentication using BR's HTTP Client

https://brforum.brulescorp.com/viewtopic.php?t=983

Page 1 of 1

MFA authentication using BR's HTTP Client

Posted: Fri Aug 05, 2022 12:52 pm
by bluesfannoz
We have had several clients who's insurance policy is requiring MFA authentication on their software products.

So I looked into adding a connection to a webservice offered by Twilio called Authy. You can download their application to your phone and register it and it will generate TOTP tokens for you to authenticate against.

So I have been playing with getting BR to talk to their api and authenticate their token. Success!

Here is an example of the necessary http.ini settings:

Code: Select all

header X-Authy-API-Key: {API KEY Setup on the Twilio Website}
header Content-Type: application/text;charset=utf-8
user-agent curl/7.79.1
BR Code to Verify a supplied code:

Code: Select all

00010     Dim http$*65535,ZB$*4096,URL$*4096
00030     LET httpclient=22 : Let RECL$="4096"
00050     Print Newpage : Print Fields "10,1,C": "Enter Authy Code:"
00070     Input Fields "11,1,C 7,S:T[Y]": Pass$
00170     Let URL$=TRIM$("https://api.authy.com/protected/json/verify/"&TRIM$(PASS$)&"/{AUTHY_ID_FROM_WEBSITE}")
00190     Open #httpclient: "name="&URL$&",CONTROL=http.ini,http=client",Display,Outin Error NO_HTTP Ioerr NO_HTTP
00210     Goto GOOD_HTTP
00230 NO_HTTP:!
00250     LET ZB$="Error "&STR$(ERR)&" Trying to open HTTP connection" : Let MsgBox(ZB$) : End
00270 GOOD_HTTP:! By Opening with Linput rather than Print, this is a GET HTTP Request that is required by Twilio
00310 do While File(httpclient)=0
00330    linput #httpclient: http$ eof done_http_1 Err tst_err
00350    Goto lp
00370 tst_err:!
00390     If err=4145 then goto lp
00410     LET ZB$="Error "&STR$(ERR)&" Waiting on Connection" : Let MsgBox(ZB$) : End
00430 lp:    loop
00450 done_http_1:!
00460     IF POS(http$,CHR(34)&"token"&CHR$(34)&":"&CHR$(34)&"is valid"&CHR$(34))>0 Then print fields "15,1,C": "Token is Valid!" Else print fields "15,1,C" :"UnAuthorized!"
00490     Close #httpclient:
Link to Authy Api:
https://www.twilio.com/docs/authy/api

Re: MFA authentication using BR's HTTP Client

Posted: Tue Aug 09, 2022 7:18 am
by GomezL
Nice tool!

In our application, I create an environment variable that stores an encrypted "Hex Code."

In the setup routine of my primary library, I check to make sure it's properly configured, and if not, then I trap it for "Unauthorized Use."

Sometimes a sophisticated user will try to load a program and run it directly, and you want to make sure you properly enforce security.
All times are UTC-06:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited