diff options
author | Kali Kaneko (leap communications) <kali@leap.se> | 2017-02-23 00:35:33 +0100 |
---|---|---|
committer | Kali Kaneko (leap communications) <kali@leap.se> | 2017-02-24 16:20:52 +0100 |
commit | e3999c4906348dadcc85eec1df9a48e776deccd5 (patch) | |
tree | 7f8156ba80f367df22c4e823c301360706e06e8d /docs/core/index.rst | |
parent | 6b3ea883a62d40f8e2d68ce95bbefa2ac64b95de (diff) |
[feature] require authentication token for api
implements a global auth token for the app.
this token is written to .config/leap/authtoken, and passed to the
anchor part of the landing URI when opening the index resource by the
browser.
- Resolves: #8765
Diffstat (limited to 'docs/core/index.rst')
-rw-r--r-- | docs/core/index.rst | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/docs/core/index.rst b/docs/core/index.rst index d03dd727..c7fb1780 100644 --- a/docs/core/index.rst +++ b/docs/core/index.rst @@ -24,8 +24,31 @@ throught a REST API. In bitmaskd.cfg:: [services] web = True -API Authentication -================== + +Global API Authentication +========================= + +To avoid some kind of attacks, the Bitmask API is protected by a global +authentication token. + +The JS API receives this value when the initial entrypoint is loaded for the +first time, in the anchor part of the url. + +To authenticate any request to the API, the ``X-Bitmask-Auth`` header has to be +added to it, set to the single value that is initialized during the bitmask +deaemon startup:: + + curl -X POST http://localhost:7070/API/mail/status + unauthorized:bad auth token + + curl -X POST http://localhost:7070/API/mail/status -H 'X-Bitmask-Auth: fae20706aa4f4f98ac0e67996787a370' + {"result": {"status": "on", "childrenStatus": {"smtp": {"status": "on", "error": null}, "imap": {"status": "on", "error": null}}, "error": null}, "error": null} + +This token can be found in ``.config/leap/authtoken`` + + +API Authentication (this section not implemented yet) +====================================================== By default, the resources in the API are protected by an authentication token. |