X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=doc%2Fmd%2FREST-API.md;h=2a36ea29d1c99ea334029d520d388816f4d9ec84;hb=151fa1e450740b08ee783e819dd42cf2c48c335c;hp=8f3f7303e888eb0da7b125ccd1152843206b3f56;hpb=1fdb40fc169b42af7622610c4f088688de231118;p=github%2Fshaarli%2FShaarli.git

diff --git a/doc/md/REST-API.md b/doc/md/REST-API.md
index 8f3f7303..2a36ea29 100644
--- a/doc/md/REST-API.md
+++ b/doc/md/REST-API.md
@@ -1,30 +1,86 @@
-## Usage
+# REST API
 
-See the [REST API documentation](http://shaarli.github.io/api-documentation/).
+## Server requirements
 
-## Authentication
+See the **[REST API documentation](http://shaarli.github.io/api-documentation/)** for a list of available endpoints and parameters.
 
-All requests to Shaarli's API must include a JWT token to verify their authenticity.
+Please ensure that your server meets the requirements and is properly [configured](Server-configuration):
 
-This token has to be included as an HTTP header called `Authentication: Bearer <jwt token>`.
+- URL rewriting is enabled (see specific Apache and Nginx sections)
+- the server's timezone is properly defined
+- the server's clock is synchronized with [NTP](https://en.wikipedia.org/wiki/Network_Time_Protocol)
 
-JWT resources :
+The host where the API client is invoked should also be synchronized with NTP, see _payload/token expiration_
 
- * [jwt.io](https://jwt.io) (including a list of client per language).
- * RFC : https://tools.ietf.org/html/rfc7519
- * https://float-middle.com/json-web-tokens-jwt-vs-sessions/
- * HackerNews thread: https://news.ycombinator.com/item?id=11929267
 
+## Clients and examples
 
-### Shaarli JWT Token
+- **[python-shaarli-client](https://github.com/shaarli/python-shaarli-client)** - the reference API client ([Documentation](http://python-shaarli-client.readthedocs.io/en/latest/))
+- [shaarli-client](https://www.npmjs.com/package/shaarli-client) - NodeJs client ([source code](https://github.com/laBecasse/shaarli-client)) by [laBecasse](https://github.com/laBecasse)
+- [Android client example with Kotlin](https://gitlab.com/snippets/1665808) by [Braincoke](https://github.com/Braincoke)
 
-JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64:
+
+This example uses the [PHP cURL](http://php.net/manual/en/book.curl.php) library.
+
+```php
+<?php
+$baseUrl = 'https://shaarli.mydomain.net';
+$secret = 'thats_my_api_secret';
+
+function base64url_encode($data) {
+  return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
+}
+
+function generateToken($secret) {
+    $header = base64url_encode('{
+        "typ": "JWT",
+        "alg": "HS512"
+    }');
+    $payload = base64url_encode('{
+        "iat": '. time() .'
+    }');
+    $signature = base64url_encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true));
+    return $header . '.' . $payload . '.' . $signature;
+}
+
+
+function getInfo($baseUrl, $secret) {
+    $token = generateToken($secret);
+    $endpoint = rtrim($baseUrl, '/') . '/api/v1/info';
+
+    $headers = [
+        'Content-Type: text/plain; charset=UTF-8',
+        'Authorization: Bearer ' . $token,
+    ];
+
+    $ch = curl_init($endpoint);
+    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
+    curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
+
+    $result = curl_exec($ch);
+    curl_close($ch);
+
+    return $result;
+}
+
+var_dump(getInfo($baseUrl, $secret));
+```
+
+## Implementation
+
+### Authentication
+
+- All requests to Shaarli's API must include a **JWT token** to verify their authenticity.
+- This token must be included as an HTTP header called `Authorization: Bearer <jwt token>`.
+- JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64:
 
 ```
 [header].[payload].[signature]
 ```
 
-#### Header
+##### Header
 
 Shaarli only allow one hash algorithm, so the header will always be the same:
 
@@ -41,11 +97,9 @@ Encoded in base64, it gives:
 ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==
 ```
 
-#### Payload
-
-**Validity duration**
+##### Payload
 
-To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independant - UTC) under the key `iat` (issued at). This token will be accepted during 9 minutes.
+Token expiration: To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independent - UTC) under the key `iat` (issued at) field ([1](https://tools.ietf.org/html/rfc7519#section-4.1.6)). This token will be valid during **9 minutes**.
 
 ```json
 {
@@ -53,14 +107,11 @@ To avoid infinite token validity, JWT tokens must include their creation date in
 }
 ```
 
-See [RFC reference](https://tools.ietf.org/html/rfc7519#section-4.1.6).
-
+##### Signature
 
-#### Signature
+The signature authenticates the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page.
 
-The signature authenticate the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page.
-
-Signature example with PHP:
+Example signature with PHP:
 
 ```php
 $content = base64_encode($header) . '.' . base64_encode($payload);
@@ -68,37 +119,32 @@ $signature = hash_hmac('sha512', $content, $secret);
 ```
 
 
-### Complete example
 
-#### PHP
+## Troubleshooting
 
-```php
-function generateToken($secret) {
-    $header = base64_encode('{
-        "typ": "JWT",
-        "alg": "HS512"
-    }');
-    $payload = base64_encode('{
-        "iat": '. time() .'
-    }');
-    $signature = hash_hmac('sha512', $header .'.'. $payload , $secret);
-    return $header .'.'. $payload .'.'. $signature;
-}
+### Debug mode
 
-$secret = 'mysecret';
-$token = generateToken($secret);
-echo $token;
-```
+> This should never be used in a production environment.
 
-> `ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==.ewogICAgICAgICJpYXQiOiAxNDY4NjY3MDQ3CiAgICB9.1d2c54fa947daf594fdbf7591796195652c8bc63bffad7f6a6db2a41c313f495a542cbfb595acade79e83f3810d709b4251d7b940bbc10b531a6e6134af63a68`
+For security reasons, authentication issues will always return an `HTTP 401` error code without any detail.
 
-```php
-$options = [
-    'http' => [
-        'method' => 'GET',
-        'jwt' => $token,
-    ],
-];
-$context = stream_context_create($options);
-file_get_contents($apiEndpoint, false, $context);
+It is possible to enable the debug mode in `config.json.php` 
+to get the actual error message in the HTTP response body with:
+
+```json
+{
+  "dev": {
+    "debug": true
+  }
+}
 ```
+
+## References
+
+- [jwt.io](https://jwt.io) (including a list of client per language).
+- [RFC - JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519)
+- [JSON Web Tokens (JWT) vs Sessions](https://float-middle.com/json-web-tokens-jwt-vs-sessions/), [HackerNews thread](https://news.ycombinator.com/item?id=11929267)
+
+
+
+