User Tools

Site Tools


version_3:authentication

Authentication

Description

Required for every request (GET and POST to the service, except for the function newuser). The credentials should not be sent in plain text due to obvious security reasons. This service offers a functionality to verify the user’s credentials without transferring them in plain text.

First, the application that is using the service has to be registered to the service. A registered application receives an appID and an appSecret. Second, the user creates an account for the service using the function newuser. The password is stored as sha1([password]) and so should your application.

Every request that is sent to the service required exactly the following parameter:

data

JSON string with the actual request information

nonce

A random alpha-numeric string, 40-60 characters, different for each request. Prevents a re-post of an intercepted request (since re-used nonces aren't allowed by the service).

aid

The appID (see above).

user

The name of the user.

h

a hash value of this whole query, salted with the user’s password and the app’s secret:

sha1 ( urlencode(data) . aid . urlencode(user) . urlencode(nonce) . appSecret . sha1 (password) )

This way, the app and the user can be verified on the server side by taking the stored appSecret and the user’s password and using these to create the hash again and compare that to the received hash h of the request.

Example

Imagine, your app has the following variables:

$data = "{}" // urlencode($data) == "%7B%7D";
$nonce = "9rahz1nydugdfy4vlnloy1rone7re6y8u9t8uq3kazw2j5yf9h";
$user = "alex";
$userPass = sha1("password");	// = "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
$aid = 1;
$appSecret = "226vuvu96gqb34yqoclbvcvul74nk61djgjojb93";

This results in a hash value h of

$h = sha1 ( urlencode($data) . $aid . urlencode($user) . urlencode($nonce) . $appSecret . sha1($userPass) );
// $h == sha1 ( "%7B%7D" . 1 . "alex" . "9rahz1nydugdfy4vlnloy1rone7re6y8u9t8uq3kazw2j5yf9h" . "226vuvu96gqb34yqoclbvcvul74nk61djgjojb93" . "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" );
// $h == "61f20b56e892c8e55e6f08a68086034911d8c45b";

For the resulting request, only the above mentioned variables are sent to the API.

version_3/authentication.txt · Last modified: 01.05.2016 21:57 (external edit)