bhspitmonkey / ninjam-js Goto Github PK

12:46 < stefanha> Hmm...I didn't document the ACL
12:47 < stefanha> The jam network protocol differences aren't documented.
12:47 < stefanha> They are minor though.
12:48 < stefanha> One difference is that text is UTF-8
12:48 < BHSPiMonkey> I saw the different client version value, but didn't finish figuring out the auth differences
12:48 < BHSPiMonkey> oh, that's nice
12:48 < stefanha> Auth is:
12:49 < stefanha> 1. Client posts secret to /tokens/ REST API (using HTTP Authentication with username/password)
12:49 < stefanha> 2. Client connects to jam server and uses the secret as the "password" instead of the user's account password
12:49 < stefanha> The advantage of this approach is that the jam server doesn't need the plaintext password,
12:50 < stefanha> so account passwords can be stored hashed/salted instead of as plaintext by jammr.
12:51 < BHSPiMonkey> Do I need to request a different token each time the user connects to a server?
12:51 < stefanha> BHSPiMonkey: Tokens expire so it's best to generate a new token and post it each time the user starts the app
12:52 < BHSPiMonkey> OAuth2 or custom?
12:52 < stefanha> It is a custom authentication system.
12:52 < stefanha> But fairly simple
12:52 < stefanha> See JammrLoginDialog::login()
12:53 < stefanha> hexToken = QCryptographicHash::hash(QUuid::createUuid().toRfc4122(), QCryptographicHash::Sha1).toHex();
12:53 < stefanha> The client generates a random secret token.
12:53 < stefanha> It POSTs the secret token to the REST API: /tokens/<username>
12:53 < stefanha> with HTTP Authentication <username>:<password>
12:54 < stefanha> So the REST API server is the one that does the account login.
12:54 < stefanha> Now that the secret token has been set, the client can connect to a jam server.
12:54 < stefanha> The jam server will retrieve the secret token for the user.  The secret token is used as the "password" in NINJAM auth.
12:55 < stefanha> And the client proved that it owns the account by POSTing the token successfully.