User Tools

Site Tools

A PCRE internal error occured. This might be caused by a faulty plugin


====== Authentication ====== ===== Description ===== Required for every request (GET and POST to the service, except for the function [[version_3:post_user_new|newuser]]). The credentials should not be sent in plain text due to obvious security reasons. This service offers a functionality to verify the user’s credentials without transferring them in plain text. First, the application that is using the service has to be registered to the service. A registered application receives an //appID// and an //appSecret//. Second, the user creates an account for the service using the function [[version_3:post_user_new|newuser]]. The password is stored as //sha1([password])// and so should your application. Every request that is sent to the service required exactly the following parameter: ==== data ==== JSON string with the actual request information ==== nonce ===== A random alpha-numeric string, 40-60 characters, different for each request. Prevents a re-post of an intercepted request (since re-used nonces aren't allowed by the service). ==== aid ==== The appID (see above). ==== user ===== The name of the user. ==== h ===== a hash value of this whole query, salted with the user’s password and the app’s secret: <code> sha1 ( urlencode(data) . aid . urlencode(user) . urlencode(nonce) . appSecret . sha1 (password) ) </code> This way, the app and the user can be verified on the server side by taking the stored appSecret and the user’s password and using these to create the hash again and compare that to the received hash h of the request. ===== Example ===== Imagine, your app has the following variables: <code php-script> $data = "{}" // urlencode($data) == "%7B%7D"; $nonce = "9rahz1nydugdfy4vlnloy1rone7re6y8u9t8uq3kazw2j5yf9h"; $user = "alex"; $userPass = sha1("password"); // = "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" $aid = 1; $appSecret = "226vuvu96gqb34yqoclbvcvul74nk61djgjojb93"; </code> This results in a hash value //h// of <code php-script> $h = sha1 ( urlencode($data) . $aid . urlencode($user) . urlencode($nonce) . $appSecret . sha1($userPass) ); // $h == sha1 ( "%7B%7D" . 1 . "alex" . "9rahz1nydugdfy4vlnloy1rone7re6y8u9t8uq3kazw2j5yf9h" . "226vuvu96gqb34yqoclbvcvul74nk61djgjojb93" . "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" ); // $h == "61f20b56e892c8e55e6f08a68086034911d8c45b"; </code> For the resulting request, only the above mentioned variables are sent to the API.

version_4/authentication.txt · Last modified: 01.05.2016 21:57 (external edit)