From 84d0632a2df1cf833610bc8dd45d4808e4a8dc0e Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sat, 29 Jul 2017 15:26:27 +0200 Subject: docker: remove `dev` image, update documentation Relates to https://github.com/shaarli/Shaarli/issues/843 Changed: - Update Docker image list - Update Docker documentation structure Removed: - Delete Dockerfile and resources for the `dev` image - Cleanup `doc/` resources Signed-off-by: VirtualTam --- doc/REST-API.md | 105 -------------------------------------------------------- 1 file changed, 105 deletions(-) delete mode 100644 doc/REST-API.md (limited to 'doc/REST-API.md') diff --git a/doc/REST-API.md b/doc/REST-API.md deleted file mode 100644 index d7909978..00000000 --- a/doc/REST-API.md +++ /dev/null @@ -1,105 +0,0 @@ -#REST API -## Usage - -See the [REST API documentation](http://shaarli.github.io/api-documentation/).[](.html) - -## Authentication - -All requests to Shaarli's API must include a JWT token to verify their authenticity. - -This token has to be included as an HTTP header called `Authentication: Bearer `. - -JWT resources : - - * [jwt.io](https://jwt.io) (including a list of client per language).[](.html) - * RFC : https://tools.ietf.org/html/rfc7519 - * https://float-middle.com/json-web-tokens-jwt-vs-sessions/ - * HackerNews thread: https://news.ycombinator.com/item?id=11929267 - - -### Shaarli JWT Token - -JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64: - -``` -[header].[payload].[signature][](.html) -``` - -#### Header - -Shaarli only allow one hash algorithm, so the header will always be the same: - -```json -{ - "typ": "JWT", - "alg": "HS512" -} -``` - -Encoded in base64, it gives: - -``` -ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ== -``` - -#### Payload - -**Validity duration** - -To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independant - UTC) under the key `iat` (issued at). This token will be accepted during 9 minutes. - -```json -{ - "iat": 1468663519 -} -``` - -See [RFC reference](https://tools.ietf.org/html/rfc7519#section-4.1.6).[](.html) - - -#### Signature - -The signature authenticate the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page. - -Signature example with PHP: - -```php -$content = base64_encode($header) . '.' . base64_encode($payload); -$signature = hash_hmac('sha512', $content, $secret); -``` - - -### Complete example - -#### PHP - -```php -function generateToken($secret) { - $header = base64_encode('{ - "typ": "JWT", - "alg": "HS512" - }'); - $payload = base64_encode('{ - "iat": '. time() .' - }'); - $signature = hash_hmac('sha512', $header .'.'. $payload , $secret); - return $header .'.'. $payload .'.'. $signature; -} - -$secret = 'mysecret'; -$token = generateToken($secret); -echo $token; -``` - -> `ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==.ewogICAgICAgICJpYXQiOiAxNDY4NjY3MDQ3CiAgICB9.1d2c54fa947daf594fdbf7591796195652c8bc63bffad7f6a6db2a41c313f495a542cbfb595acade79e83f3810d709b4251d7b940bbc10b531a6e6134af63a68` - -```php -$options = [[](.html) - 'http' => [[](.html) - 'method' => 'GET', - 'jwt' => $token, - ], -]; -$context = stream_context_create($options); -file_get_contents($apiEndpoint, false, $context); -``` -- cgit v1.2.3