Skip to content
Snippets Groups Projects
Commit 4439d99e authored by Sina Rohde's avatar Sina Rohde
Browse files

Have deleted md-file and replaced it with rst-file

parent 6deab58a
No related branches found
No related tags found
2 merge requests!41REL: update changelog, bump version of pom.xml, update DEPENDENCIES,!36F fix tables
Pipeline #14127 failed
Stage: test
Stage: deploy
Hide whitespace changes
Inline Side-by-side
src/doc/specification/Authentication.md src/doc/specification/Authentication.rst
+ 96
0
View file @ 4439d99e
# Authentication
Some features of CaosDB are available to registered users only. Making any changes to the data stock via HTTP requires authentication by `username` _plus_ `password`. They are to be send as a HTTP header, while the password is to be hashed by the sha512 algorithm:
Authentication
==============
| `username:` | `$username` |
|-------------|-------------|-
| `password:` | `$SHA512ed_password` |
Some features of CaosDB are available to registered users only. Making any changes
to the data stock via HTTP requires authentication by `username` _plus_ `password`.
They are to be send as a HTTP header, while the password is to be hashed by the sha512 algorithm:
=========== ====================
username: password:
=========== ====================
`$username` `$SHA512ed_password`
=========== ====================
## Sessions
Sessions
--------
### Login
Login
^^^^^
#### Request Challenge
Request Challenge
^^^^^^^^^^^^^^^^^
* `GET http://host:port/mpidsserver/login?username=$username`
* `GET http://host:port/mpidsserver/login` with `username` header
``GET http://host:port/mpidsserver/login?username=$username``
``GET http://host:port/mpidsserver/login`` with `username` header``
*no password required to be sent over http*
The request returns an AuthToken with a login challenge as a cookie. The AuthToken is a dictionary of the following form:
The request returns an AuthToken with a login challenge as a cookie.
The AuthToken is a dictionary of the following form:
{scope=$scope;
mode=LOGIN;
offerer=$offerer;
auth=$auth
expires=$expires;
date=$date;
hash=$hash;
session=$session;
}
{scope=$scope;
mode=LOGIN;
offerer=$offerer;
auth=$auth
expires=$expires;
date=$date;
hash=$hash;
session=$session;
}
$scope:: A uri pattern string. Example: ` {**/*} `
$mode:: `ONETIME`, `SESSION`, or `LOGIN`
......@@ -39,44 +48,49 @@ The request returns an AuthToken with a login challenge as a cookie. The AuthTok
$hash:: A string
$session:: A string
The challenge is solved by concatenating the `$hash` string and the user's `$password` string and calculating the sha512 hash of both. Pseudo code:
The challenge is solved by concatenating the `$hash` string and
the user's `$password` string and calculating the sha512 hash of both.
Pseudo code:
$solution = sha512($hash + sha512($password))
$solution = sha512($hash + sha512($password))
#### Send Solution
Send Solution
^^^^^^^^^^^^^
The old $hash string in the cookie has to be replaces by $solution and the cookie is to be send with the next request:
The old $hash string in the cookie has to be replaces by $solution and
the cookie is to be send with the next request:
`PUT http://host:port/mpidsserver/login`
``PUT http://host:port/mpidsserver/login``
The server will return the user's entity in the HTTP body, e.g.
<Response ...>
<User name="$username" ...>
...
</User>
</Response>
<Response ...>
<User name="$username" ...>
...
</User>
</Response>
and a new AuthToken with `$mode=SESSION` and a new expiration date and so on. This AuthToken cookie is to be send with every request.
### Logout
Logout
^^^^^^
Send
`PUT http://host:port/mpidsserver/logout`
``PUT http://host:port/mpidsserver/logout``
with a valid AuthToken cookie. No new AuthToken will be returned and no AuthToken with that `$session` will be accepted anymore.
### Commandline solution with `curl` ##
Commandline solution with `curl`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To use curl for talking with the server, first save your password into a variable:
`PW=$(cat)`
``PW=$(cat)``
The create a cookie in `cookie.txt` like this (note that this makes your password visible for a short time to everyone on your system:
`curl -X POST -c cookie.txt -D head.txt -H "Content-Type: application/x-www-form-urlencoded" -d username=<USERNAME> -d password="$PW" --insecure "https://<SERVER>/login`
``curl -X POST -c cookie.txt -D head.txt -H "Content-Type: application/x-www-form-urlencoded" -d username=<USERNAME> -d
password="$PW" --insecure "https://<SERVER>/login``
To use the cookie, pass it on with later requests:
`curl -X GET -b cookie.txt --insecure "https://<SERVER>/Entity/12345"`
``curl -X GET -b cookie.txt --insecure "https://<SERVER>/Entity/12345"``
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment