API Authentification » History » Version 5
Kurt Gerber, 09 Jan 2020 20:00
| 1 | 1 | Kurt Gerber | h1. API Authentification |
|---|---|---|---|
| 2 | |||
| 3 | Proposed Solution |
||
| 4 | The following is a proposed authentication mechanism for handling mobile app requests. This is to facilitate other API endpoints allowing users to create cases, upload images and edit cases. |
||
| 5 | |||
| 6 | 4 | Kurt Gerber | h2. User authentification and authorisation |
| 7 | 1 | Kurt Gerber | |
| 8 | 4 | Kurt Gerber | * Use the existing API Token for application authorisation |
| 9 | * Use a second token for the user authentification. This can be solved bei either one of the following options: |
||
| 10 | ** A: Using the existing django-based session ID, same as the web gui. |
||
| 11 | ** B: Create a Secondary authentication table, as follows: |
||
| 12 | *** One to many relationship to the Registered UserID (different mobile devices should be possible) |
||
| 13 | 5 | Kurt Gerber | *** 3 fields --> 'UserID', UserToken' & 'time_stamp' |
| 14 | 4 | Kurt Gerber | * When an API request to create a case, upload images or edit cases is received, follow the following use workflow: |
| 15 | # Authenticate with the API Token to ensure user has access to API |
||
| 16 | # Check if the Authenticated User has an 'unexpired' UserToken |
||
| 17 | ## A time limit is used to designate stale/fresh User Tokens |
||
| 18 | 1 | Kurt Gerber | |
| 19 | 4 | Kurt Gerber | * *Use case 1: User has no APP Token:* |
| 20 | # User has to authenticate to receive a UserToken |
||
| 21 | # Response is sent and the UserToken is included. This is the initial handshake |
||
| 22 | # Time stamp is updated |
||
| 23 | |||
| 24 | * *Use case 2: User has an Unexpired UserToken:* |
||
| 25 | # Request is accepted |
||
| 26 | # Time stamp is extended |
||
| 27 | # Response is served |
||
| 28 | |||
| 29 | * *Use case 3: User has an Expired UserToken:* |
||
| 30 | # User is re-authenticated with the API Token |
||
| 31 | # UserToken is refreshed |
||
| 32 | # Response is sent and the new UserToken is included |
||
| 33 | # Time stamp is updated |
||
| 34 | |||
| 35 | * *Use case 4: User has Incorrect UserToken:* |
||
| 36 | # Invalid Response is sent |
||
| 37 | |||
| 38 | |||
| 39 | h2. Case locking mechanism |
||
| 40 | |||
| 41 | *Problem:* |
||
| 42 | * The web application contains a locking mechanism: A draft version is locked as long as a case open in an editor/form. (* Timeout?*) |
||
| 43 | * This locking mechanism doesn't work with an offline application, because: |
||
| 44 | ** The server only knows when he sends or receives data, but it can't tell, if sent data is used for editing or view only. |
||
| 45 | ** Locking as long as the application is offline won't work, as that can take days. |
||
| 46 | |||
| 47 | * *Possible solutions:* |
||
| 48 | |||
| 49 | |||
| 50 | * The server receives case data (JSON) as POST on respective API endpoint (for a certain configuration/identifier): |
||
| 51 | |||
| 52 | # Checking, if the latest version of the case is either _'active'_ or _'draft'_ |
||
| 53 | # When latest version is _'draft'_, compares the last update timestamp to the timestamp of the UserToken |
||
| 54 | |||
| 55 | * *Use case 1: The latest version is _'active'_: * |
||
| 56 | # Creates a new draft version with the sent JSON |
||
| 57 | |||
| 58 | * *Use case 2: The latest version is not _'draft'_ and not _'active'_:* |
||
| 59 | # Data upload is rejected with: 'Case under review. Can't be updated' |
||
| 60 | |||
| 61 | * *Use case 3: The latest version is _'draft'_:* |
||
| 62 | # Checks if timestamp of last update on server is newer than the UserToken timestamp |
||
| 63 | |||
| 64 | * *Use case 4: UserToken timestamp is newer than update timestamp on server:* |
||
| 65 | # Merge sent JSON to draft version. |
||
| 66 | |||
| 67 | * *User case 5: Update timestamp on server is newer than UserToken timestamp:* |
||
| 68 | # Case was updated over another device / or over website |
||
| 69 | # Data upload is rejected with: 'Newer version exists.' |