Skip to content

Latest commit

 

History

History
37 lines (32 loc) · 2.48 KB

authentication.org

File metadata and controls

37 lines (32 loc) · 2.48 KB

Authentication in Trow

An implementation of the Open Authorization standard.

no url - passes Welcome message

v2 url - sends the www.authenticate response

login - reads the basic token and returns a bearer token

all subsequent urls need to check bearer token

At the moment takes a base64 encoded user/pass combination and checks it against hard coded values. If credentials are valid a bearer token is returned.

TODO

Need other methods of input rather than just base 64 encoded credentials. Need better than a hardcoded username / password combination. Interim configurable user/pass. Medium term password file. Long term full blown OAuth implementation.

test curl commands

curl top level should get welcome message

curl -iv -H “Authorization: Basic YWRtaW46cGFzc3dvcmQK” https://trow.test:8443/ –cacert certs/ca.crt

curl v2 url - should fire euth header

curl -iv -H “Authorization: Basic YWRtaW46cGFzc3dvcmQK” https://trow.test:8443/v2 –cacert certs/ca.crt

curl with admin password b64 encrypted

curl -iv -H “Authorization: Basic YWRtaW46cGFzc3dvcmQK” https://trow.test:8443/login –cacert certs/ca.crt

curl with valid bearer token

curl -iv -H “Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiOm51bGwsImFsZyI6IkhTMjU2In0.eyJ1c2VyX2lkIjoiYWRtaW4iLCJjbGllbnRfaWQiOiJkb2NrZXIiLCJzY29wZSI6InB1c2gvcHVsbCIsImlhdCI6MjM0NTIzNDU2LCJleHAiOjM2MDB9.tNgEg1f5a6qvJT5Kxx0Gpw2vh4nSpz5UbMf0Al66k2g” https://trow.test:8443/login –cacert certs/ca.crt

curl with bad authorization token

curl -iv -H “Authorization: Basic YWRtaW46cGFzc3dvcmQKbadtoken” https://trow.test:8443/login –cacert certs/ca.crt

curl with bad bearer token

curl -iv -H “Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiOm51bGwsImFsZyI6IkhTMjU2In0.eyJ1c2VyX2lkIjoiYWRtaW4iLCJjbGllbnRfaWQiOiJkb2NrZXIiLCJzY29wZSI6InB1c2gvcHVsbCIsImlhdCI6MjM0NTIzNDU2LCJleHAiOjM2MDB9.tNgEg1f5a6qvJT5Kxx0Gpw2vh4nSpz5UbMf0Al66k2gbadtoken” https://trow.test:8443/login –cacert certs/ca.crt

curl token from docker

curl “https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/ubuntu:pull

proper catch all value for token enum

move ok token string to within the match token

create tests for authentication code

authorisation secret is declared in 2 places

used system time, but then had to add chrono time to format the time string for docker

not sure how to call authentication check on all routes

Using the auth_user struct to determine if the user is logged in may bot be the best way to do it