API Authentification » History » Version 3
Kurt Gerber, 09 Jan 2020 15:33
->
| 1 | 1 | Kurt Gerber | h1. API Authentification |
|---|---|---|---|
| 2 | |||
| 3 | Proposed Solution |
||
| 4 | The following is a proposed authentication mechanism for handling mobile app requests. This is to facilitate other API endpoints allowing users to create cases, upload images and edit cases. |
||
| 5 | |||
| 6 | *Caveat: This is very non-standard and maybe insecure* |
||
| 7 | 2 | Kurt Gerber | |
| 8 | * Use the existing API Token for Primary authentication in all cases |
||
| 9 | * Create a Secondary authentication table, as follows: |
||
| 10 | ** One to one relationship to the Registered UserID |
||
| 11 | 3 | Kurt Gerber | ** 3 fields --> 'UserID', 'APPToken' & 'time_stamp' --> (*Why not using the alredy exiting Django-based session?*) |
| 12 | 2 | Kurt Gerber | * When an API request to create a case, upload images or edit cases is received |
| 13 | ** Authenticate with the API Token to ensure user has access to API |
||
| 14 | ** Check if the Authenticated User has an 'unexpired' APP Token |
||
| 15 | *** A time limit is used to designate stale/fresh APP Tokens |
||
| 16 | ** User has no APP Token: |
||
| 17 | 3 | Kurt Gerber | *** APP Token is Generated (*...after successfull authentification, I guess*) |
| 18 | 2 | Kurt Gerber | *** Response is sent and the APP Token is included |
| 19 | *** This is the initial handshake |
||
| 20 | *** Time stamp is updated |
||
| 21 | ** User has an Unexpired APP Token: |
||
| 22 | *** Request is accepted |
||
| 23 | *** Time stamp is extended |
||
| 24 | *** Response is served |
||
| 25 | ** User has an Expired APP Token: |
||
| 26 | *** User is re-authenticated with the API Token |
||
| 27 | *** APP Token is refreshed |
||
| 28 | *** Response is sent and the new APP Token is included |
||
| 29 | *** Time stamp is updated |
||
| 30 | ** User has Incorrect APP Token: |
||
| 31 | *** Invalid Response is sent |
||
| 32 | |||
| 33 | * Issues and possible solutions |
||
| 34 | 3 | Kurt Gerber | ** Conflicts when more than one user is trying to edit a case |
| 35 | 2 | Kurt Gerber | *** Use a Locking mechanism while user is Editing a case |
| 36 | **** This will prevent users from ending up with a conflict |
||
| 37 | **** Lock will be released after the APP Token expires |
||
| 38 | *** Conflict resolution: |
||
| 39 | **** Comparing the last updated time to the APP time stamp and determining if newer edits can be merged without conflict |
||
| 40 | *** Edited cases will be rejected if they are submitted after the APP Token has expired |