X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=doc%2Fmd%2FREST-API.md;h=01071d8e550775d7836d99a6129ca5871a7a3d27;hb=91a21c272960889afd4eaa431a3d29b7785b6efc;hp=11bd1cd22f9a62a275ef3b5ce8570849545bb00e;hpb=6128ab6a55430a2b705be31ff417c0c552a0db1f;p=github%2Fshaarli%2FShaarli.git diff --git a/doc/md/REST-API.md b/doc/md/REST-API.md index 11bd1cd2..01071d8e 100644 --- a/doc/md/REST-API.md +++ b/doc/md/REST-API.md @@ -1,101 +1,24 @@ -## Usage and Prerequisites +# REST API -See the [REST API documentation](http://shaarli.github.io/api-documentation/) -for a list of available endpoints and parameters. +## Server requirements -Please ensure that your server meets the -[requirements](Server-configuration#prerequisites) and is properly -[configured](Server-configuration): +See the **[REST API documentation](http://shaarli.github.io/api-documentation/)** for a list of available endpoints and parameters. + +Please ensure that your server meets the requirements and is properly [configured](Server-configuration): - URL rewriting is enabled (see specific Apache and Nginx sections) - the server's timezone is properly defined -- the server's clock is synchronized with - [NTP](https://en.wikipedia.org/wiki/Network_Time_Protocol) - -The host where the API client is invoked should also be synchronized with NTP, -see [token expiration](#payload). - -## Authentication - -All requests to Shaarli's API must include a JWT token to verify their authenticity. - -This token has to be included as an HTTP header called `Authentication: Bearer `. - -JWT resources : - -- [jwt.io](https://jwt.io) (including a list of client per language). -- RFC : https://tools.ietf.org/html/rfc7519 -- https://float-middle.com/json-web-tokens-jwt-vs-sessions/ -- HackerNews thread: https://news.ycombinator.com/item?id=11929267 - - -### Shaarli JWT Token - -JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64: - -``` -[header].[payload].[signature] -``` - -#### Header - -Shaarli only allow one hash algorithm, so the header will always be the same: - -```json -{ - "typ": "JWT", - "alg": "HS512" -} -``` - -Encoded in base64, it gives: - -``` -ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ== -``` - -#### Payload - -**Token expiration** - -To avoid infinite token validity, JWT tokens must include their creation date -in UNIX timestamp format (timezone independent - UTC) under the key `iat` (issued at). -This token will be valid during **9 minutes**. - -```json -{ - "iat": 1468663519 -} -``` - -See [RFC reference](https://tools.ietf.org/html/rfc7519#section-4.1.6). - +- the server's clock is synchronized with [NTP](https://en.wikipedia.org/wiki/Network_Time_Protocol) -#### Signature - -The signature authenticate the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page. - -Signature example with PHP: - -```php -$content = base64_encode($header) . '.' . base64_encode($payload); -$signature = hash_hmac('sha512', $content, $secret); -``` +The host where the API client is invoked should also be synchronized with NTP, see _payload/token expiration_ ## Clients and examples -### Android, Java, Kotlin - -- [Android client example with Kotlin](https://gitlab.com/snippets/1665808) - by [Braincoke](https://github.com/Braincoke) - -### Javascript, NodeJS -- [shaarli-client](https://www.npmjs.com/package/shaarli-client) - ([source code](https://github.com/laBecasse/shaarli-client)) - by [laBecasse](https://github.com/laBecasse) +- **[python-shaarli-client](https://github.com/shaarli/python-shaarli-client)** - the reference API client ([Documentation](http://python-shaarli-client.readthedocs.io/en/latest/)) +- [shaarli-client](https://www.npmjs.com/package/shaarli-client) - NodeJs client ([source code](https://github.com/laBecasse/shaarli-client)) by [laBecasse](https://github.com/laBecasse) +- [Android client example with Kotlin](https://gitlab.com/snippets/1665808) by [Braincoke](https://github.com/Braincoke) -### PHP This example uses the [PHP cURL](http://php.net/manual/en/book.curl.php) library. @@ -145,13 +68,57 @@ function getInfo($baseUrl, $secret) { var_dump(getInfo($baseUrl, $secret)); ``` +## Implementation + +### Authentication + +- All requests to Shaarli's API must include a **JWT token** to verify their authenticity. +- This token must be included as an HTTP header called `Authentication: Bearer `. +- JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64: + +``` +[header].[payload].[signature] +``` + +##### Header + +Shaarli only allow one hash algorithm, so the header will always be the same: + +```json +{ + "typ": "JWT", + "alg": "HS512" +} +``` + +Encoded in base64, it gives: -### Python +``` +ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ== +``` + +##### Payload + +Token expiration: To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independent - UTC) under the key `iat` (issued at) field ([1](https://tools.ietf.org/html/rfc7519#section-4.1.6)). This token will be valid during **9 minutes**. + +```json +{ + "iat": 1468663519 +} +``` + +##### Signature + +The signature authenticates the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page. + +Example signature with PHP: + +```php +$content = base64_encode($header) . '.' . base64_encode($payload); +$signature = hash_hmac('sha512', $content, $secret); +``` -See the reference API client: -- [Documentation](http://python-shaarli-client.readthedocs.io/en/latest/) on ReadTheDocs -- [python-shaarli-client](https://github.com/shaarli/python-shaarli-client) on Github ## Troubleshooting @@ -171,3 +138,13 @@ to get the actual error message in the HTTP response body with: } } ``` + +## References + +- [jwt.io](https://jwt.io) (including a list of client per language). +- [RFC - JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519) +- [JSON Web Tokens (JWT) vs Sessions](https://float-middle.com/json-web-tokens-jwt-vs-sessions/), [HackerNews thread](https://news.ycombinator.com/item?id=11929267) + + + +