-
Notifications
You must be signed in to change notification settings - Fork 2
Authorization
Authentication is handled by the Stormpath service and associated libraries.
A library exists that plugins into an existing Express application and provides four different end points for handling authentication:
- /login
- /logout
- /register
- /oauth/token
What is happening under the scenes is still somewhat of a mystery to me since I haven't completely read through the code yet. However, the overall gist of the mechanism is that express-stormpath will mount a router onto an express app instance to expose different routes. Each route will interact with Stormpath's API using their SDK - either POSTing a new user or retrieving an existing one or any other simple action that the SDK provides.
The login
and register
routes present predefined HTML pages that will allow a user to enter his information in order to be authenticated or to create a new account and the logout
route... er, logs people out.
The oauth route is what Calidrought uses to issue an oauth bearer token:
⋊> ~ http --auth <client_id>:<client_id_secret> 'http://ec2-54-167-131-100.compute-1.amazonaws.com/oauth/token' grant_type=client_credentials 16:40:46
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 354
Content-Type: application/json; charset=utf-8
Date: Sat, 28 Nov 2015 00:41:35 GMT
ETag: W/"162-TatyfT9J9SeeFrFifOQXww"
X-Powered-By: Express
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyWkMzMDU4OUxDODdDTlM0NUVKUUlaR05PIiwiaXNzIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hcHBsaWNhdGlvbnMvWXNyQUhXdnd4NmhlVXp0eWxlUjJUIiwiaWF0IjoxNDQ4NjcxMjk2LCJleHAiOjE0NDg2NzQ4OTYsInNjb3BlIjoiIn0.wyW3aQTZ0c7R0jZ22l_nyclIvp51MfGRo9QDxuM6NZ8",
"expires_in": 3600,
"scope": "",
"token_type": "bearer"
}
The access token is actually a JWT and can be passed along in an authentication header to Calidrought's protected API routes.
⋊> ~ http GET http://ec2-54-167-131-100.compute-1.amazonaws.com/api/stations 'Authorization:Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyWkMzMDU4OUxDODdDTlM0NUVKUUlaR05PIiwiaXNzIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92MS9hcHBsaWNhdGlvbnMvWXNyQUhXdnd4NmhlVXp0eWxlUjJUIiwiaWF0IjoxNDQ4NjcxMjk2LCJleHAiOjE
0NDg2NzQ4OTYsInNjb3BlIjoiIn0.wyW3aQTZ0c7R0jZ22l_nyclIvp51MfGRo9QDxuM6NZ8'
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 186
Content-Type: application/json; charset=utf-8
Date: Sat, 28 Nov 2015 00:53:05 GMT
ETag: W/"ba-EliylC93WA4U7SaKnCCVRw"
X-Powered-By: Express
[
{
"County": "State of Arizona",
"Elevation": "3700' ft",
"Hydrologic Area": "COLORADO RIVER",
"River Basin": "COLORADO R",
"Station ID": "MEA",
"stationID": "ce2f7f14-ca1c-48e0-815c-23639298f89c"
}
]
To get an oauth bearer token, a developer can go to his Dashboard and view his API key set:
Yes, permanently presenting the secret key is pretty insecure - I plan on changing that. Yes, the key presented in this image has been recycled.
As of right now, I offer no easy way to create or delete new API keys. I plan on implementing simple key management in the future.