github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-21 09:16:30 -05:00
Code Issues Projects Releases Packages Wiki Activity

docs: Merge API Authentication docs

Browse source 
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2023-03-12 21:20:47 +01:00
parent 1093da4a39
commit 58f306a38c
4 changed files with 30 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
docs/content/dev/api_auth.md
View file

@ -1,5 +0,0 @@
# API Authentication
## Public API
All requests to the public API require authentication using a [bearer token](https://datatracker.ietf.org/doc/html/rfc6750).
This token can be generated

29
docs/content/dev/design_docs/api_auth.md Normal file
View file

@ -0,0 +1,29 @@
# API Authentication
## Public API
All requests to the public API require authentication using a [bearer token](https://datatracker.ietf.org/doc/html/rfc6750).
This token can be generated using the profile page in the frontend
(which in turn uses the private API to generate the token).
## Private API
The private API uses a session cookie to authenticate the user.
Sessions are handled using passport.js.
The backend hands out a new session token after the user has successfully authenticated
using one of the supported authentication methods:
- Username & Password (`local`)
- LDAP
- SAML
- OAuth2
- GitLab
- GitHub
- Facebook
- Twitter
- Dropbox
- Google
The `SessionGuard`, which is added to each (appropriate) controller method of the private API,
checks if the provided session is still valid and provides the controller method with the correct user.

18
docs/content/dev/private-api-auth.md
View file

@ -1,18 +0,0 @@
# Private API Auth
## Supported kinds of authentication
- Username & Password (`local`)
- LDAP
- SAML
- OAuth2
- GitLab
- GitHub
- Facebook
- Twitter
- Dropbox
- Google
## How the authentication works
The backend is called directly from the frontend. The different routes that handle different kinds of authentication perform any kind of verification needed and then create a session cookie. This session cookie is than provided with each subsequent call to the private api by the frontend (until it expires or the user logs out). The SessionGuard, which is added to each other (appropriate) controller method of the private api, checks if the provided session is still valid and provides the controller method with the correct user.

1
docs/mkdocs.yml
View file

@ -22,6 +22,7 @@ nav:
- Development:
- '2.0 Development': dev/2.0.md
- Design Documents:
- API Authentication: dev/design_docs/api_auth.md
- Notes: dev/design_docs/notes.md
- 'User Profiles & Authentication': dev/design_docs/user_profiles.md
- Configuration: dev/design_docs/config.md