1 files changed, 105 insertions, 0 deletions
diff --git a/doc/REST-API.md b/doc/REST-API.md
new file mode 100644
index 00000000..d7909978
--- /dev/null
+++ b/doc/REST-API.md
@@ -0,0 +1,105 @@
+#REST API
+## Usage
+See the [REST API documentation](http://shaarli.github.io/api-documentation/).[](.html)
+## Authentication
+All requests to Shaarli's API must include a JWT token to verify their authenticity.
+This token has to be included as an HTTP header called `Authentication: Bearer <jwt token>`.
+JWT resources :
+ * [jwt.io](https://jwt.io) (including a list of client per language).[](.html)
+ * RFC : https://tools.ietf.org/html/rfc7519
+ * https://float-middle.com/json-web-tokens-jwt-vs-sessions/
+ * HackerNews thread: https://news.ycombinator.com/item?id=11929267
+### Shaarli JWT Token
+JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64:
+```
+[header].[payload].[signature][](.html)
+```
+#### Header
+Shaarli only allow one hash algorithm, so the header will always be the same:
+```json
+{
+    "typ": "JWT",
+    "alg": "HS512"
+}
+```
+Encoded in base64, it gives:
+```
+ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==
+```
+#### Payload
+**Validity duration**
+To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independant - UTC) under the key `iat` (issued at). This token will be accepted during 9 minutes.
+```json
+{
+    "iat": 1468663519
+}
+```
+See [RFC reference](https://tools.ietf.org/html/rfc7519#section-4.1.6).[](.html)
+#### Signature
+The signature authenticate the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page.
+Signature example with PHP:
+```php
+$content = base64_encode($header) . '.' . base64_encode($payload);
+$signature = hash_hmac('sha512', $content, $secret);
+```
+### Complete example
+#### PHP
+```php
+function generateToken($secret) {
+    $header = base64_encode('{
+        "typ": "JWT",
+        "alg": "HS512"
+    }');
+    $payload = base64_encode('{
+        "iat": '. time() .'
+    }');
+    $signature = hash_hmac('sha512', $header .'.'. $payload , $secret);
+    return $header .'.'. $payload .'.'. $signature;
+}
+$secret = 'mysecret';
+$token = generateToken($secret);
+echo $token;
+```
+> `ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==.ewogICAgICAgICJpYXQiOiAxNDY4NjY3MDQ3CiAgICB9.1d2c54fa947daf594fdbf7591796195652c8bc63bffad7f6a6db2a41c313f495a542cbfb595acade79e83f3810d709b4251d7b940bbc10b531a6e6134af63a68`
+```php
+$options = [[](.html)
+    'http' => [[](.html)
+        'method' => 'GET',
+        'jwt' => $token,
+    ],
+];
+$context = stream_context_create($options);
+file_get_contents($apiEndpoint, false, $context);
+```

diff --git a/doc/REST-API.md b/doc/REST-API.md new file mode 100644 index 00000000..d7909978 --- /dev/null +++ b/doc/REST-API.md
@@ -0,0 +1,105 @@
	1	#REST API
	2	## Usage
	3
	4	See the [REST API documentation](http://shaarli.github.io/api-documentation/).[](.html)
	5
	6	## Authentication
	7
	8	All requests to Shaarli's API must include a JWT token to verify their authenticity.
	9
	10	This token has to be included as an HTTP header called `Authentication: Bearer <jwt token>`.
	11
	12	JWT resources :
	13
	14	* [jwt.io](https://jwt.io) (including a list of client per language).[](.html)
	15	* RFC : https://tools.ietf.org/html/rfc7519
	16	* https://float-middle.com/json-web-tokens-jwt-vs-sessions/
	17	* HackerNews thread: https://news.ycombinator.com/item?id=11929267
	18
	19
	20	### Shaarli JWT Token
	21
	22	JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64:
	23
	24	```
	25	[header].[payload].[signature][](.html)
	26	```
	27
	28	#### Header
	29
	30	Shaarli only allow one hash algorithm, so the header will always be the same:
	31
	32	```json
	33	{
	34	"typ": "JWT",
	35	"alg": "HS512"
	36	}
	37	```
	38
	39	Encoded in base64, it gives:
	40
	41	```
	42	ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==
	43	```
	44
	45	#### Payload
	46
	47	Validity duration
	48
	49	To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independant - UTC) under the key `iat` (issued at). This token will be accepted during 9 minutes.
	50
	51	```json
	52	{
	53	"iat": 1468663519
	54	}
	55	```
	56
	57	See [RFC reference](https://tools.ietf.org/html/rfc7519#section-4.1.6).[](.html)
	58
	59
	60	#### Signature
	61
	62	The signature authenticate the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page.
	63
	64	Signature example with PHP:
	65
	66	```php
	67	$content = base64_encode($header) . '.' . base64_encode($payload);
	68	$signature = hash_hmac('sha512', $content, $secret);
	69	```
	70
	71
	72	### Complete example
	73
	74	#### PHP
	75
	76	```php
	77	function generateToken($secret) {
	78	$header = base64_encode('{
	79	"typ": "JWT",
	80	"alg": "HS512"
	81	}');
	82	$payload = base64_encode('{
	83	"iat": '. time() .'
	84	}');
	85	$signature = hash_hmac('sha512', $header .'.'. $payload , $secret);
	86	return $header .'.'. $payload .'.'. $signature;
	87	}
	88
	89	$secret = 'mysecret';
	90	$token = generateToken($secret);
	91	echo $token;
	92	```
	93
	94	> `ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==.ewogICAgICAgICJpYXQiOiAxNDY4NjY3MDQ3CiAgICB9.1d2c54fa947daf594fdbf7591796195652c8bc63bffad7f6a6db2a41c313f495a542cbfb595acade79e83f3810d709b4251d7b940bbc10b531a6e6134af63a68`
	95
	96	```php
	97	$options = [[](.html)
	98	'http' => [[](.html)
	99	'method' => 'GET',
	100	'jwt' => $token,
	101	],
	102	];
	103	$context = stream_context_create($options);
	104	file_get_contents($apiEndpoint, false, $context);
	105	```