mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-12-22 16:31:33 +00:00
docs: Merge API Authentication docs
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
parent
1093da4a39
commit
58f306a38c
4 changed files with 30 additions and 23 deletions
|
@ -1,5 +0,0 @@
|
|||
# API Authentication
|
||||
## Public API
|
||||
All requests to the public API require authentication using a [bearer token](https://datatracker.ietf.org/doc/html/rfc6750).
|
||||
|
||||
This token can be generated
|
29
docs/content/dev/design_docs/api_auth.md
Normal file
29
docs/content/dev/design_docs/api_auth.md
Normal file
|
@ -0,0 +1,29 @@
|
|||
# API Authentication
|
||||
|
||||
## Public API
|
||||
All requests to the public API require authentication using a [bearer token](https://datatracker.ietf.org/doc/html/rfc6750).
|
||||
|
||||
This token can be generated using the profile page in the frontend
|
||||
(which in turn uses the private API to generate the token).
|
||||
|
||||
## Private API
|
||||
|
||||
The private API uses a session cookie to authenticate the user.
|
||||
Sessions are handled using passport.js.
|
||||
|
||||
The backend hands out a new session token after the user has successfully authenticated
|
||||
using one of the supported authentication methods:
|
||||
|
||||
- Username & Password (`local`)
|
||||
- LDAP
|
||||
- SAML
|
||||
- OAuth2
|
||||
- GitLab
|
||||
- GitHub
|
||||
- Facebook
|
||||
- Twitter
|
||||
- Dropbox
|
||||
- Google
|
||||
|
||||
The `SessionGuard`, which is added to each (appropriate) controller method of the private API,
|
||||
checks if the provided session is still valid and provides the controller method with the correct user.
|
|
@ -1,18 +0,0 @@
|
|||
# Private API Auth
|
||||
|
||||
## Supported kinds of authentication
|
||||
|
||||
- Username & Password (`local`)
|
||||
- LDAP
|
||||
- SAML
|
||||
- OAuth2
|
||||
- GitLab
|
||||
- GitHub
|
||||
- Facebook
|
||||
- Twitter
|
||||
- Dropbox
|
||||
- Google
|
||||
|
||||
## How the authentication works
|
||||
|
||||
The backend is called directly from the frontend. The different routes that handle different kinds of authentication perform any kind of verification needed and then create a session cookie. This session cookie is than provided with each subsequent call to the private api by the frontend (until it expires or the user logs out). The SessionGuard, which is added to each other (appropriate) controller method of the private api, checks if the provided session is still valid and provides the controller method with the correct user.
|
|
@ -22,6 +22,7 @@ nav:
|
|||
- Development:
|
||||
- '2.0 Development': dev/2.0.md
|
||||
- Design Documents:
|
||||
- API Authentication: dev/design_docs/api_auth.md
|
||||
- Notes: dev/design_docs/notes.md
|
||||
- 'User Profiles & Authentication': dev/design_docs/user_profiles.md
|
||||
- Configuration: dev/design_docs/config.md
|
||||
|
|
Loading…
Reference in a new issue