FTP Server support

Support for FTP and FTPS in available in the Neuron® from build 2025-03-20. FTP is an old Internet technology, but with a lot of support in different software and libraries. By providing support for FTP it is now possible to:

  • Provide broker account holders with File Storage using FTP.

  • Provide developers and operators with a mechanism to copy, edit and manage files in a simpler way compared to using terminal prompts (chat admin), web pages or remote desktop connections.

  • Ensure files have consistent access rights in the operating system of the Neuron®. When using Remote Desktop or similar technologies to access the Neuron® for the purpose of copying files to the Neuron®, these might be copied using different access privileges than other types of content files. This might cause problems, such as inability to access the files from the Neuron®, or inability to update them via packages. Files copied to the Neuron® via the FTP interface will use the Neuron’s access rights (Local Service by default) when copying the files, ensuring that the Neuron® will be able to update the files in the future, as part of normal package distributions.

Protocol reference

The FTP protocol is mainly defined in a set of RFC published by the IETF. There are also some custom commands that commonly available, but not standardized. The main RFCs implemented are:

There are some limitations in the implementations (see more details, below):

  • All FTP access requires authentication (i.e. login, or use of mTLS)
  • All authentication and transfer require TLS encryption.
  • Only broker accounts (i.e. XMPP accounts, not administrative user accounts) with FTP access rights explicitly set have access to FTP.
  • Passive mode is limited to pre-defined ports.

Types of Channels

FTP was created in a time when establishing socket connections was cheaper than implementing streaming or embedding files over a single socket. For this reason, FTP, even for simple tasks requires two or more socket connections between a client (the uploader, downloader or manager of files) and a server (the file server). One connection is made for commands\ - the control channel. All file transfers or lengthy replies (such as a directory listing) are sent over a separate socket - one separate socket per transfer - the data channels. The server needs to manage available ports and provide them, as they are needed, to the different clients.

In the first versions of FTP, the server connected back to the client for each transfer, i.e. each data channel. But as the Internet evolved, and Firewalls were introduced, it became apparent that such an infrastructure is not particularly useful (in spite of NAT). A new type of data channel was introduced: The passive data channel (where the first was considered active, from the server’s point of view). A passive data channel is created by the client connecting to the FTP server using a second connection, establishing a new data connection, on which the transmission of the lengthy response or the file can occur.

TCP/IP Ports

FTP traditionally uses TCP/IP port 21. This port starts unencrypted, but the Neuron® requires the client to switch to TLS before it can authenticate itself. This process is called explicit encryption in some clients. Apart from explicit encryption, there is also an implicit encryption that can be used, often referred to as FTPS (not to be confused with SFTP, which is something else). The default port for FTPS is 990. FTPS works much like HTTPS, in that TLS is used directly upon connecting, and not negotiated through the protocol.

The recommended method to transfer data is through passive data channels. The original definition of passive channels allows for the opening of any port for listening on the server. This is not a good approach, from a security point-of-view, as a very large range of ports must be opened in the firewall for this to work. The Neuron® insteads allows for a limited set of passive data channel ports to be defined (by default 50000 - 50009). The Neuron® then alternately provides access to these ports to the FTP clients that are connected. The Neuron® also ensures the correct client accesses the correct ports. It also ensures to delay access to these passive ports, in case all are used.

The ports used, must be defined defined in the Gateway.config file on the Neuron®. You can change, add or remove ports as you see fit. Every change to the gateway.config file however, requires the Neuron® to be restarted. Example of the Ports section of a Gateway.config file:

<Ports>
	<Port protocol="HTTP">80</Port>
	<Port protocol="HTTPS">443</Port>
	<Port protocol="XMPP.C2S">5222</Port>
	<Port protocol="XMPP.S2S">5269</Port>
	<Port protocol="SOCKS5">1080</Port>
	<Port protocol="SMTP">25</Port>
	<Port protocol="SMTP">587</Port>
	<Port protocol="FTP">21</Port>
	<Port protocol="FTPS">990</Port>
	<Port protocol="FTP.PassiveData">50000</Port>
	<Port protocol="FTP.PassiveData">50001</Port>
	<Port protocol="FTP.PassiveData">50002</Port>
	<Port protocol="FTP.PassiveData">50003</Port>
	<Port protocol="FTP.PassiveData">50004</Port>
	<Port protocol="FTP.PassiveData">50005</Port>
	<Port protocol="FTP.PassiveData">50006</Port>
	<Port protocol="FTP.PassiveData">50007</Port>
	<Port protocol="FTP.PassiveData">50008</Port>
	<Port protocol="FTP.PassiveData">50009</Port>
</Ports>

You can also edit the ports from the Admin menu, under Sources & Nodes:

FTP Ports, under Sources & Nodes
FTP Ports, under Sources & Nodes

Note that the ports you define here must also be opened in the Firewall, for incoming TCP/IP connections to be permitted. If you use Azure to host your Neuron®, a firewall entry might look as follows:

Azure FTP Ports Rule
Azure FTP Ports Rule

Encryption

TLS encryption is mandatory for accessing the Neuron® using FTP. The Neuron® supports both implicit and explicit encryption. The Neuron® also supports Mutual TLS. This means you need to enable Client Certificates for the corresponding port in Gateway.config, and use a valid certificate on the client side when connecting to the Neuron®. If there is an account with FTP access rights having an account name corresponding to the Common Name in the subject field of a valid certificate, there is no need to use a password to access the account. The client will be authenticated as soon as it has provided the user name to the Neuron® FTP server.

Security Note: The weakest link in FTP is the matching of Control Channel with corresponding Data Channels. In active mode (not suitable for Internet use due to firewalls), this problem is not as big, since a third party cannot attempt to hijack a data channel. In passive mode, the client connects to the server twice, first for the control channel where it sends the commands, and secondly for the data channel, where a file transfer will occur. Hypothetically, a third party can hijack this data channel and receive a file not aimed for it. The controls to limit this are basic: First, the data channel is only open for listening exactly after the command has been issued, and only for as long as to receive one connection. This typically generates a window counted in milliseconds. Secondly, the server matches the Remote IP Address of both connections, and closes any data channel connection attempt from another IP address. It is therefore very unlikely that the data channel can be hijacked, but it is possible. To protect against this, it is recommended FTP conections be made using Mutual TLS (mTLS). When mTLS is used, the server also ensures the client certificate used is valid in both connections, and use the same public key. With this added level of protection, FTP becomes very secure.

Account Access Privileges

To give a broker account access rights on a Neuron®, you need to edit the account from the administrative page. At the bottom of the account, you need to provide a Root Folder for the account. This root folder does not have to be unique for the account, but it must exist. You also define whether the account as no access rights (default), read access rights, write access rights or both read and write access rights. You can also provide an optional maximum storage, counted in number of bytes. If you don’t provide a value for the maximum storage, the client will have unlimited access (i.e. until storage runs out). Once the account has been updated, the client can use FTP for file storage, within the folder provided in the configuration (and any of its subfolders). Write-access rights gives the account the right to create new subfolders recursively within the folder provided.

FTP Account Settings
FTP Account Settings

Using an FTP Client

If you want to use the Neuron® for file storage or management from your desktop. you will need an FTP Client to access the Neuron®. FTP support in Windows is limited to unencrypted access, which is not permitted by the Neuron®. WinSCP is an FTP client that works well with the Neuron® and is commonly used on different platforms. When using WinSCP to connect, remember to use either explicit encryption on the FTP port (21 by default) or implicit encryption on the FTPS port (990 by default). SFTP is something else in WinSCP. You then connect, and once you are connected you can access the assigned folder, using the logical folder /.

Troubleshooting using sniffers

You can troubleshoot the FTP communication on the Neuron® in two ways: In the Program Data Folder, there exists an FTP subfolder, where communication logs will be stored in XML format, for 7 days. You can also create a web sniffer from the administrative page (under Communication/FTP Sniffer) that can be used to sniff on the communication for a maximum of an hour. The content of the files will not be displayed in these sniffers, only what connections are made, what commands are sent, and their responses.

#new, #neuron, #features, #api, #protocol, #ftp, #security, #mtls

Peter Waher
Peter Waher
3/20/2025 7:44:45 PM 3/23/2025 12:42:51 AM
402 0 1 0

Enhanced QR Code API

From build 2025-03-07, there’s a new enhanced API for generating QR codes. It gives you more control over the parameters that control the appearance of the code. You can also use the API to generate QR codes suitable for print.

The source of the API is /QR/ on the domain your Neuron® runs at. The text after the /, and before any ? contains the URL Encoded text that gets encoded into the QR code. After the ? follows optional query parameters you can use to control the appearance of the code. If arguments are left out, their default values will be used. Following is a table of query parameters recognized by the QR Code API:

QR Code API query parameters
Parameter Default Value Description
w 400 Width of QR code, in pixels.
h 400 Height of QR code, in pixels.
fg Black Foreground color (dots) of the code. A special value of Theme can be used to select the text color of the current theme of the Neuron®
bg White Background color of the code. A special value of Theme can be used to select the background color of the current theme of the Neuron®
c depends on URI scheme Color of icon overlaid on the QR code. The icon depends on the URI scheme encoded into the code. Using the c parameter allows you to control the color of the icon.
mc same as icon color Foreground color of the markers in the QR code.
omc blended between mc and fg The Foreground color of the outer markers in the QR code.
ac same as icon color Foreground color of the alignment in the QR code.
oac blended between mc and fg The Foreground color of the outer alignment in the QR code.
q 1 Quality of the image. It is the number of points in each dimension calculated per pixel. Provides anti-aliasing of the QR code, improving the quality of the image.

Examples

Consider the following URL, of a legal identity: iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io. We can encode it into a simple QR code as follows:

https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io
https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io

We can add smoothness to the code, by adding ?q=2 to the code:

https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io?q=2
https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io?q=2

If we want the code to adapt to the current theme of the web page, we add &fg=Theme&bg=Theme for instance:

https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io?q=2&fg=Theme&bg=Theme
https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io?q=2&fg=Theme&bg=Theme

If we want to generate a code for a client displaying the page in black-mode for instance, we can control the colors using the various color arguments available. Example:

https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io?q=2&fg=White&bg=Black&c=FFC0C0&mc=E0FFE0&ac=E0E0FF
https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io?q=2&fg=White&bg=Black&c=FFC0C0&mc=E0FFE0&ac=E0E0FF

If we want to use it for print, we can add (for example) ?q=3&w=1200&h=1200:

https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io?q=3&w=1200&h=1200
https://lab.tagroot.io/QR/iotid:2be3be1f-0f8f-7e1b-0808-cc7844e9e732@legal.lab.tagroot.io?q=3&w=1200&h=1200

This article is being written

#new, #features, #api, #neuron

Peter Waher
Peter Waher
3/7/2025 10:10:25 PM 3/10/2025 11:30:14 PM
547 0 1 0

The Echo and Ping Web Services

From build 2025-02-28 there are two new web services that can be used to monitor if the state of a Neuron®. The first is /Echo, which returns what you POST to it. The second is /Ping, which returns a UTC timestamp with millisecond precision. In the case of /Echo you get the same Content-Type back as you post. Make sure the Accept header reflects this in the request. In the /Ping case, you need to use the Accept header to indicate if you want JSON or XML back.

You can download the following Postman collection to test the new web services: EchoPing.postman_collection.zip

Network Latency and clock drift

From the server timestamp (st), you can calculate the network latency (l) and the clock drift (Δt) between the client making the request and the server hosting the /Ping service. You take the UTC time (with milliseconds) before (ct1) and after (ct2) the request, and then compute, as follows:

Network Latency and Clock Drift
Network Latency and Clock Drift

#new, #features, #api, #neuron

Peter Waher
Peter Waher
2/27/2025 11:31:06 PM 2/28/2025 2:15:41 PM
348 0 1 0

New Neuron Popup System

We have replaced window.alert, window.confirm, and window.prompt with a custom popup system. This provides better control and accessibility for user interactions.

Overview

  • Improved User Experience: The popups have a consistent style and can be customized.
  • Accessibility: Focus trapping ensures proper keyboard navigation.
  • Better Control: Supports handling of modal dialogs with promises.

How to use it

The popup system is located in the Master.js file. To use it include the folowing headers in your markdown or master file.

Javascript: /AlertPopup.md.js
Javascript: /ConfirmPopup.md.js
Javascript: /PromptPopup.md.js
Javascript: /Master.js

You also need a dialog container in the bottom of your html body.

<div id="native-popup-container"></div>

Additionally, the theme used must implement the base theme base.cssx for styling. Alternatively you could style it yourself, but it would be recomended to instead cascade over the already existing css or changing the themes cssx variables;

Usage

Alert

Use Alert(message) to display a basic alert popup.

const popup = PopupHandler();
await popup.Alert("This is an alert message.");

Confirm

Use Confirm(message) to display a confirmation dialog that returns a boolean.

const result = await popup.Confirm("Are you sure?");
if (result) {
    console.log("User confirmed.");
} else {
    console.log("User canceled.");
}

Prompt

Use Prompt(message) to capture user input.

const userInput = await popup.Prompt("Enter your name:");
console.log("User entered:", userInput);

Details

  • All popups are contained in a shared container.
  • The popup backdrop is generated by the Master.js file, and placed at the bottom of the body tag
  • If you initiate a new popup whilst one is already open, it will cover the old one. The old one will be accesible after you interact with the newly created one. You can think of the popups in a stack datastructure.
  • Focus trapping disables focusing outside the popup using tab and shift + tab.
  • Your master markdown file must include the following element at the bottom to contain the popups:
  • If you dont need to wait for an Ok press when using Alert() you don’t need to await the response.

#neuron, #api, #javascript, #tutorial

viggoacess
viggoacess
2/13/2025 1:34:00 PM 2/13/2025 4:12:57 PM
239 0 1 0

Using a proxy server with Agent API & Quick Login API

From build 2025-02-05, a new mode is available for integrating Quick Login API and Agent API when using a proxy to access the Neuron®. The web page may reside on an external server, and it wants to integrate with both Quick Login API and Agent API on a Neuron® different from the web server. In this case, the web-client only or backend modes are not sufficient, as they cannot integrate the two APIs seamlessly. Session mode is not available either, since the HTTP session held by the client, is between the client and the web server, not the Neuron®.

A new mode is now availble: A Session-proxy mode. allows the client to create a Session ID implicitly, by adding a agentApiTimeout property in the initial request made to the Neuron® from the proxy. The Neuron® will implicitly call the QuickLoginServiceId(Request,Timeout) function, and return the Service ID in the response to the proxy.

Note: The proxy needs to enable cookies in its communication with the Neuron®, to maintain the session correctly. The proxy will need to call the Agent API over the same session, to be able to access the Quick Login done in this mode.

For more information, see the Quick Login API reference documentation.

#new, #features, #neuron, #agent, #agentapi, #quicklogin, #api

Peter Waher
Peter Waher
2/5/2025 7:47:35 PM 2/5/2025 7:57:27 PM
318 0 0 0

Posts tagged #api

No more posts with the given tag could be found. You can go back to the main view by selecting Home in the menu above.