docs: Merge API Authentication docs

Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2023-03-12 21:20:47 +01:00
parent 1093da4a39
commit 58f306a38c
4 changed files with 30 additions and 23 deletions

View file

@ -1,5 +0,0 @@
# API Authentication
## Public API
All requests to the public API require authentication using a [bearer token](https://datatracker.ietf.org/doc/html/rfc6750).
This token can be generated

View file

@ -0,0 +1,29 @@
# API Authentication
## Public API
All requests to the public API require authentication using a [bearer token](https://datatracker.ietf.org/doc/html/rfc6750).
This token can be generated using the profile page in the frontend
(which in turn uses the private API to generate the token).
## Private API
The private API uses a session cookie to authenticate the user.
Sessions are handled using passport.js.
The backend hands out a new session token after the user has successfully authenticated
using one of the supported authentication methods:
- Username & Password (`local`)
- LDAP
- SAML
- OAuth2
- GitLab
- GitHub
- Facebook
- Twitter
- Dropbox
- Google
The `SessionGuard`, which is added to each (appropriate) controller method of the private API,
checks if the provided session is still valid and provides the controller method with the correct user.

View file

@ -1,18 +0,0 @@
# Private API Auth
## Supported kinds of authentication
- Username & Password (`local`)
- LDAP
- SAML
- OAuth2
- GitLab
- GitHub
- Facebook
- Twitter
- Dropbox
- Google
## How the authentication works
The backend is called directly from the frontend. The different routes that handle different kinds of authentication perform any kind of verification needed and then create a session cookie. This session cookie is than provided with each subsequent call to the private api by the frontend (until it expires or the user logs out). The SessionGuard, which is added to each other (appropriate) controller method of the private api, checks if the provided session is still valid and provides the controller method with the correct user.

View file

@ -22,6 +22,7 @@ nav:
- Development: - Development:
- '2.0 Development': dev/2.0.md - '2.0 Development': dev/2.0.md
- Design Documents: - Design Documents:
- API Authentication: dev/design_docs/api_auth.md
- Notes: dev/design_docs/notes.md - Notes: dev/design_docs/notes.md
- 'User Profiles & Authentication': dev/design_docs/user_profiles.md - 'User Profiles & Authentication': dev/design_docs/user_profiles.md
- Configuration: dev/design_docs/config.md - Configuration: dev/design_docs/config.md