From b230bf207df576fa2ad165702184edf21f674ce7 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Sun, 7 May 2017 18:44:05 +0200 Subject: Bump version to v0.9.0 Signed-off-by: ArthurHoaro --- doc/REST-API.html | 169 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 doc/REST-API.html (limited to 'doc/REST-API.html') diff --git a/doc/REST-API.html b/doc/REST-API.html new file mode 100644 index 00000000..d14c98c9 --- /dev/null +++ b/doc/REST-API.html @@ -0,0 +1,169 @@ + + + + + + + Shaarli – REST API + + + + + + + +

REST API

Usage

See the REST API documentation.

Authentication

All requests to Shaarli's API must include a JWT token to verify their authenticity.

This token has to be included as an HTTP header called Authentication: Bearer <jwt token>.

JWT resources :

jwt.io (including a list of client per language).
RFC : https://tools.ietf.org/html/rfc7519
https://float-middle.com/json-web-tokens-jwt-vs-sessions/
HackerNews thread: https://news.ycombinator.com/item?id=11929267

Shaarli JWT Token

JWT tokens are composed by three parts, separated by a dot . and encoded in base64:

[header].[payload].[signature][](.html)

+ +

Shaarli only allow one hash algorithm, so the header will always be the same:

{
+    "typ": "JWT",
+    "alg": "HS512"
+}

Encoded in base64, it gives:

ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==

Payload

Validity duration

To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independant - UTC) under the key iat (issued at). This token will be accepted during 9 minutes.

{
+    "iat": 1468663519
+}

See RFC reference.

Signature

The signature authenticate the token validity. It contains the base64 of the header and the body, separated by a dot ., hashed in SHA512 with the API secret available in Shaarli administration page.

Signature example with PHP:

$content = base64_encode($header) . '.' . base64_encode($payload);
+$signature = hash_hmac('sha512', $content, $secret);

Complete example

PHP

function generateToken($secret) {
+    $header = base64_encode('{
+        "typ": "JWT",
+        "alg": "HS512"
+    }');
+    $payload = base64_encode('{
+        "iat": '. time() .'
+    }');
+    $signature = hash_hmac('sha512', $header .'.'. $payload , $secret);
+    return $header .'.'. $payload .'.'. $signature;
+}
+
+$secret = 'mysecret';
+$token = generateToken($secret);
+echo $token;

+
ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==.ewogICAgICAgICJpYXQiOiAxNDY4NjY3MDQ3CiAgICB9.1d2c54fa947daf594fdbf7591796195652c8bc63bffad7f6a6db2a41c313f495a542cbfb595acade79e83f3810d709b4251d7b940bbc10b531a6e6134af63a68
+

$options = [[](.html)
+    'http' => [[](.html)
+        'method' => 'GET',
+        'jwt' => $token,
+    ],
+];
+$context = stream_context_create($options);
+file_get_contents($apiEndpoint, false, $context);

+ + -- cgit v1.2.3