Updates auth-service's interface

- Also updates `example-data.json` corresponding to OpenSlides/openslides-auth-service#32
This commit is contained in:
GabrielMeyer 2020-10-07 09:48:38 +02:00
parent c83a82337b
commit d123f0934a
2 changed files with 80 additions and 31 deletions

View File

@ -22,7 +22,7 @@
"last_name": "Administrator",
"is_active": true,
"is_committee": false,
"password": "1422e767c5e08bb7196844025a0f98e1x61Ey612Kl2gpFL56FT9weDnpSo4AV8j8+qx2AuTHdRyY036xxzTTrw10Wq3+4qQyB+XURPWx1ONxp3Y3pB37A==",
"password": "316af7b2ddc20ead599c38541fbe87e9a9e4e960d4017d6e59de188b41b2758flD5BVZAZ8jLy4nYW9iomHcnkXWkfk3PgBjeiTSxjGG7+fBjMBxsaS1vIiAMxYh+K38l0gDW4wcP+i8tgoc4UBg==",
"default_password": "admin",
"about_me": "",
"gender": "",
@ -72,7 +72,7 @@
"last_name": "",
"is_active": true,
"is_committee": false,
"password": "7f0d953dadfddb2005da4c04037abf61H0D8ktokFpR1CXnubPWC8tXX0o4YM13gWrxU0FYOD1MChgxlK/CNVgJSql50IQVG82n7u86MEs/HlXsmUv6adQ==",
"password": "316af7b2ddc20ead599c38541fbe87e9a9e4e960d4017d6e59de188b41b2758fDB3tv5HcCtPRREt7bPGqerTf1AbmoKXt/fVFkLY4znDRh2Yy0m3ZjXD0nHI8oa6KrGlHH/cvysfvf8i2fWIzmw==",
"default_password": "a",
"about_me": "",
"gender": "",
@ -118,7 +118,7 @@
"last_name": "",
"is_active": true,
"is_committee": false,
"password": "a7ba62036711bbd11163661547947f23Umd2iCLuYk1I/OFexcp5y9YCy39MIVelFlVpkfIu+Me173sY0f9BxZNw77CFhlHUSpNsEbexRMSP4E3zxqPo2g==",
"password": "316af7b2ddc20ead599c38541fbe87e9a9e4e960d4017d6e59de188b41b2758fIxDxvpkn6dDLRxT9DxJhZ/f04AL2oK2beICRFobSw53CI93U+dfN+w+NaL7BvrcR4JWuMj9NkH4dVjnnI0YTkg==",
"default_password": "jKwSLGCk",
"about_me": "",
"gender": "",

View File

@ -1,3 +1,7 @@
// Description of the authentication-service
// It is listening on port '9004'
// Routes with a prefix 'api' are protected routes, that can only accessed with a valid ticket.
Interface Token {
payload: {
// The lifetime of the Token. The date in unix seconds of the expiration.
@ -13,14 +17,43 @@ Interface Token {
Interface Cookie {
// The id for the session corresponding to the client, who has signed in.
sessionId: string,
// A signature created from the server.
signature: string
// The lifetime of a cookie. Date of expiration in unix seconds.
exp: number,
// Date of creation of a token in unix seconds.
iat: number
}
// The properties of this interface have to be passed as HTTP-headers in a request.
Interface Ticket {
authentication: string,
cookies: {
refreshId: string,
[name: string]: string
}
}
/**
* The client has not the necessary permissions for the requesting action.
* Describes an http-response, which is sent back to any requesting service.
*/
Exception NoPermissions
Interface Response <T> {
// Optional headers, which are set in an http-response
httpHeaders: {
// Authentication is passed, if a new access-token is returned.
authentication?: string,
// Cookies, like one containing 'refreshId=(Cookie as string)', if a user signs in, are passed.
// Lifetime of one cookie is about 24h.
// Flags for the cookies are: HttpOnly, Secure
cookies: {
[name: string]: string
}
}
// This determines if a request was successful.
success: boolean,
// This sends back a describing message. For example, the reason of a failured request.
message: string,
// Optional data, which is appended, if a request was successful.
data?: T
}
/**
* The credentials for login/authentication are not valid.
@ -28,6 +61,8 @@ Exception NoPermissions
Exception InvalidCredentials
/**
* POST to /system/auth/login
*
* The client can login with its credentials for authentication.
* If they are correct, the service answers with a signed Token and sets a cookie, containing the sessionId of the client.
*
@ -35,9 +70,11 @@ Exception InvalidCredentials
*
* @throws InvalidCredentials
*/
Login (username: string, password: string): (Token, Cookie);
login (username: string, password: string): Response<void>;
/**
* POST to /system/auth/who-am-i
*
* An example for any protected route. If the client requests protected resources, it has to
* send the signed Token and the cookie, it receives from the service at login, to the server.
*
@ -49,9 +86,11 @@ Login (username: string, password: string): (Token, Cookie);
*
* @throws InvalidCredentials
*/
Authenticate (token: Token, cookie: Cookie): {userId: number; sessionId: string;};
who-am-i (ticket: Ticket): Response<void>;
/**
* POST to /internal/auth/api/authenticate
*
* A request to get knowledge about themselves. This information is contained in the payload of
* a Token. So, this function handles the refreshing of a Token.
*
@ -61,44 +100,54 @@ Authenticate (token: Token, cookie: Cookie): {userId: number; sessionId: string;
*
* @throws InvalidCredentials
*/
WhoAmI(cookie: Cookie): Token;
api/authenticate (ticket: Ticket): Response<LoginInformation>;
/**
* Function to kill one specific session by its id.
*
* An exception is thrown, if the client has not the necessary permissions to make this action.
* Also, if there is no session with the given id, an exception is thrown.
* DELETE to /system/auth/api/clear-session-by-id
*
* @throws NoPermissions: Only users themselves can clear their own session and (super-) admins
* can do this, too.
* Function to sign out one specific client from a user by its corresponding session-id.
*/
ClearSessionById (sessionId: string, cookie: Cookie, token: Token): void publishes LogoutSessionEvent;
api/clear-session-by-id (sessionId: string, ticket: Ticket): Response<void> publishes LogoutSessionEvent;
/**
* Function to kill all current opened sessions except the one, which is requesting.
* POST to /system/auth/api/clear-all-session-except-themselves
*
* An exception is thrown, if the client has not the necessary permissions to make this action.
*
* @throws NoPermissions: Only (super-) admins has the necessary permissions to logout and clear
* other user's session.
* Function to kill all current opened sessions from one user except the one, which is requesting.
*/
ClearAllSessionsExceptThemselves (token: Token, cookie: Cookie): void publishes LogoutSessionEvent;
Event LogoutSessionEvent on topic Logout {
sessionId: string;
}
api/clear-all-sessions-except-themselves (sessionId: string, ticket: Ticket): Response<void> publishes LogoutSessionEvent;
/**
* POST to /system/auth/api/logout
*
* The service deletes the session depending on the given Token.
*
* @throws InvalidCredentials
*/
Logout (token: Token, cookie: Cookie): void publishes LogoutSessionEvent;
api/logout (ticket: Ticket): Response<void> publishes LogoutSessionEvent;
/**
* GET to system/auth/api/list-sessions
*
* Returns all currently active sessions.
*
* @throws NoPermissions: The users can only see their own session. Only (super-) admins can see sessions
* of other users.
* @returns an array containing currently active sessions.
*/
ListSessions (token: Token, cookie: Cookie): string[];
api/list-sessions (ticket: Ticket): Response<{sessions: string[]}>;
/**
* POST to /internal/auth/hash
*
* Hashes a given value. A random salt (64bit) is generated and added to the hashed value.
*
* @returns the hashed value. The hashed value is structured as follows: [salt + hash].
*/
hash (toHash: string): Response<{hash: string}>;
/**
* POST to /internal/auth/is-equals
*
* Compares a given value with an given hash.
*
* @returns a boolean, if the hashed value of the given value is equals to the passed hash.
*/
is-equals (toHash: string, toCompare: string): Response<{isEquals: boolean}>;