WOCAT » QCAT

Hi Kurt,
After discussion with Kevin, here is a proposed authentication mechanism for allowing users to create cases, upload images and edit cases.
This is very non-standard and maybe insecure.

• Use the existing API Token for Primary authentication in all cases.
• Create a Secondary authentication table, as follows:

• One to one relationship to the Registered UserID
• 3 fields --> 'UserID', 'APPToken' & 'time_stamp'

• When a user with the header 'User-Agent: app' sends a request <to create a case, upload images or edit cases>*

• Authenticate with the API Token to ensure user has access to API.
• Check if the Authenticated User has an 'unexpired' APP Token <a time limit is used to designate stale/fresh APP Tokens>
• No APP Token, Create the token and serve response + new APP Token <initial handshake>
• Unexpired APP Token, accept the request, refresh the token time stamp and serve the response
• Expired APP Token, refresh the token and serve the response + new APP Token
• Incorrect APP Token, respond as invalid <potential issue here on what to do with works in progress for the user>

Looking ahead to the discussion and feedback.

Thanks,
Guhan

Could you try to document here, what we have discussed concerning the authentification?

Hi Kurt,
Apologies for the delay in getting this out.
Please find attached the description of the proposed solution based on our discussion from 3 weeks back.

Thanks,
Guhan

Works