Skip to content
This repository has been archived by the owner on Jul 12, 2019. It is now read-only.

Authorization

Tyler Hampton edited this page Nov 28, 2015 · 3 revisions

Overview

Authentication is handled by the Stormpath service and associated libraries.

Express Stormpath

A library exists that plugins into an existing Express application and provides four different end points for handling authentication:

  • /login
  • /logout
  • /register
  • /oauth/token

What is happening under the scenes is still somewhat of a mystery to me since I haven't completely read through the code yet. However, the overall gist of the mechanism is that express-stormpath will mount a router onto an express app instance to expose different routes. Each route will interact with Stormpath's API using their SDK - either POSTing a new user or retrieving an existing one or any other simple action that the SDK provides.

The login and register routes present predefined HTML pages that will allow a user to enter his information in order to be authenticated or to create a new account and the logout route... er, logs people out.

OAuth2

The oauth route is what Calidrought uses to issue an oauth bearer token:

> ~ http --auth <client_id>:<client_id_secret> 'http://ec2-54-167-131-100.compute-1.amazonaws.com/oauth/token' grant_type=client_credentials                                                                                                                           16:40:46
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 354
Content-Type: application/json; charset=utf-8
Date: Sat, 28 Nov 2015 00:41:35 GMT
ETag: W/"162-TatyfT9J9SeeFrFifOQXww"
X-Powered-By: Express

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyWkMzMDU4OUxDODdDTlM0NUVKUUlaR05PIiwiaXNzIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hcHBsaWNhdGlvbnMvWXNyQUhXdnd4NmhlVXp0eWxlUjJUIiwiaWF0IjoxNDQ4NjcxMjk2LCJleHAiOjE0NDg2NzQ4OTYsInNjb3BlIjoiIn0.wyW3aQTZ0c7R0jZ22l_nyclIvp51MfGRo9QDxuM6NZ8",
    "expires_in": 3600,
    "scope": "",
    "token_type": "bearer"
}

The access token is actually a JWT and can be passed along in an authentication header to Calidrought's protected API routes.

> ~ http GET http://ec2-54-167-131-100.compute-1.amazonaws.com/api/stations 'Authorization:Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyWkMzMDU4OUxDODdDTlM0NUVKUUlaR05PIiwiaXNzIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hcHBsaWNhdGlvbnMvWXNyQUhXdnd4NmhlVXp0eWxlUjJUIiwiaWF0IjoxNDQ4NjcxMjk2LCJleHAiOjE
0NDg2NzQ4OTYsInNjb3BlIjoiIn0.wyW3aQTZ0c7R0jZ22l_nyclIvp51MfGRo9QDxuM6NZ8'
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 186
Content-Type: application/json; charset=utf-8
Date: Sat, 28 Nov 2015 00:53:05 GMT
ETag: W/"ba-EliylC93WA4U7SaKnCCVRw"
X-Powered-By: Express

[
    {
        "County": "State of Arizona",
        "Elevation": "3700' ft",
        "Hydrologic Area": "COLORADO RIVER",
        "River Basin": "COLORADO R",
        "Station ID": "MEA",
        "stationID": "ce2f7f14-ca1c-48e0-815c-23639298f89c"
    }
]

To get an oauth bearer token, a developer can go to his Dashboard and view his API key set:

Yes, permanently presenting the secret key is pretty insecure - I plan on changing that. Yes, the key presented in this image has been recycled.

To-do:

As of right now, I offer no easy way to create or delete new API keys. I plan on implementing simple key management in the future.

Clone this wiki locally