aboutsummaryrefslogblamecommitdiffhomepage
path: root/doc/REST-API.md
blob: d790997804f157775afd55a952573bea3e564143 (plain) (tree)








































































































                                                                                                                                                                                                                                                          
#REST API
## Usage

See the [REST API documentation](http://shaarli.github.io/api-documentation/).[](.html)

## Authentication

All requests to Shaarli's API must include a JWT token to verify their authenticity.

This token has to be included as an HTTP header called `Authentication: Bearer <jwt token>`.

JWT resources :

 * [jwt.io](https://jwt.io) (including a list of client per language).[](.html)
 * RFC : https://tools.ietf.org/html/rfc7519
 * https://float-middle.com/json-web-tokens-jwt-vs-sessions/
 * HackerNews thread: https://news.ycombinator.com/item?id=11929267


### Shaarli JWT Token

JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64:

```
[header].[payload].[signature][](.html)
```

#### Header

Shaarli only allow one hash algorithm, so the header will always be the same:

```json
{
    "typ": "JWT",
    "alg": "HS512"
}
```

Encoded in base64, it gives:

```
ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==
```

#### Payload

**Validity duration**

To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independant - UTC) under the key `iat` (issued at). This token will be accepted during 9 minutes.

```json
{
    "iat": 1468663519
}
```

See [RFC reference](https://tools.ietf.org/html/rfc7519#section-4.1.6).[](.html)


#### Signature

The signature authenticate the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page.

Signature example with PHP:

```php
$content = base64_encode($header) . '.' . base64_encode($payload);
$signature = hash_hmac('sha512', $content, $secret);
```


### Complete example

#### PHP

```php
function generateToken($secret) {
    $header = base64_encode('{
        "typ": "JWT",
        "alg": "HS512"
    }');
    $payload = base64_encode('{
        "iat": '. time() .'
    }');
    $signature = hash_hmac('sha512', $header .'.'. $payload , $secret);
    return $header .'.'. $payload .'.'. $signature;
}

$secret = 'mysecret';
$token = generateToken($secret);
echo $token;
```

> `ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==.ewogICAgICAgICJpYXQiOiAxNDY4NjY3MDQ3CiAgICB9.1d2c54fa947daf594fdbf7591796195652c8bc63bffad7f6a6db2a41c313f495a542cbfb595acade79e83f3810d709b4251d7b940bbc10b531a6e6134af63a68`

```php
$options = [[](.html)
    'http' => [[](.html)
        'method' => 'GET',
        'jwt' => $token,
    ],
];
$context = stream_context_create($options);
file_get_contents($apiEndpoint, false, $context);
```