github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-10-19 05:40:16 -04:00
Code Issues Projects Releases Packages Wiki Activity
hedgedoc/docs/content/dev/design_docs/api_auth.md
David Mehren 58f306a38c docs: Merge API Authentication docs 
Signed-off-by: David Mehren <git@herrmehren.de>
2023-03-24 20:06:11 +01:00

864 B
Raw Blame History

API Authentication

Public API

All requests to the public API require authentication using a bearer token.

This token can be generated using the profile page in the frontend (which in turn uses the private API to generate the token).

Private API

The private API uses a session cookie to authenticate the user. Sessions are handled using passport.js.

The backend hands out a new session token after the user has successfully authenticated using one of the supported authentication methods:

  • Username & Password (local)
  • LDAP
  • SAML
  • OAuth2
  • GitLab
  • GitHub
  • Facebook
  • Twitter
  • Dropbox
  • Google

The SessionGuard, which is added to each (appropriate) controller method of the private API, checks if the provided session is still valid and provides the controller method with the correct user.