API Authentication
ArthurHoaro opened this issue · 1 comments
ArthurHoaro commented
As discussed in #2, we need a way to authenticate clients to Shaarli's API.
I'm in favor of using JWT:
- widely used, so there are client libraries in any language.
- pretty much easy to implement if you want to
- unique token for any request based on salted hash
@virtualtam has proposed to used an authentication process
When emitting several requests over an HTTP service that requires authentication, one usually:
- opens an HTTP session with a first request carrying the credentials,
- reuses this session to send further requests
Another possibility is OAuth in client_credentials mode. IMHO it's a bit too complex but it's not that hard:
- the client has an ID + secret
- get a temporary token from a
refresh_tokenendpoint - carry its token in every request
EDIT: actually OAuth without a database is a bad idea, because we need to store clients, authorization code and tokens, at least.
virtualtam commented
More on JWT:
- https://tools.ietf.org/html/rfc7519
- https://float-middle.com/json-web-tokens-jwt-vs-sessions/
- HackerNews thread: https://news.ycombinator.com/item?id=11929267
Actively maintained PHP libs:
- https://github.com/firebase/php-jwt (PHP 5.3+)
- https://github.com/lcobucci/jwt (PHP 5.5+)
- https://github.com/namshi/jose (PHP 5.5+)