Authentication ============== .. contents:: :local: Authentication with the Soledad server is made using `Twisted's Pluggable Authentication system <https://twisted.readthedocs.io/en/latest/core/howto/cred.html>`_. The validation of credentials is performed by verifying a token provided by the client. There are currently two distinct authenticated entry points: * A public TLS encrypted **Users API**, providing the *Synchronization* and *Blobs* services, verified against the Leap Platform ``tokens`` database. * A local plaintext **Services API**, currently providing only the delivery part of the *Incoming* service, authenticated against tokens defined in a file specified on the server configuration file (see the :ref:`services-tokens-file` section). Authorization header -------------------- The client has to provide a token encoded in an HTTP auth header, as in:: Authorization: Token <base64-encoded uuid:token> If no token is provided, the request is considered an "anonymous" request. Anonymous requests can only access `GET /`, which returns information about the server (as the version of the server and runtime configuration options). .. _services-tokens-file: Services API tokens file ------------------------ Credentials for services accessible through the local Services API entrypoint can be added into a file, one in each line with the format ``servicename:token``, like this:: incoming:Zm9yYSB0ZW1lciEK By default, Soledad Server will look for the tokens file in ``/etc/soledad/services.tokens`` but that is configurable (see :ref:`server-config-file` for more information). Currently, the only special credential provided is for the *Incoming* service. Implementation -------------- Soledad Server package includes a systemd service file that spawns a ``twistd`` daemon that loads a `.tac file <https://twistedmatrix.com/documents/12.2.0/core/howto/application.html#auto5>`_. When the server is started, two services are spawned: * A local entrypoint for services (serving on localhost only). * A public entrypoint for users (serving on public IP). * Localhost and public IP ports are configurable. Default is 2424 for public IP and 2525 for localhost. .. code-block:: none .------------------------------------------------------. | soledad-server | | (twisted.application.service.Application) | '------------------------------------------------------' | | .--------------. .----------------. | 0.0.0.0:2424 | | 127.0.0.1:2525 | | (TLS) | | (TCP) | '--------------' '----------------' | | .----------------. .----------------------. | Auth for users | | Auth for services | | (UsersRealm) | | (LocalServicesRealm) | '----------------' '----------------------' | | .------------------. .-------------------------. | Users API | | Services API | | (PublicResource) | | (LocalResource) | '------------------' '-------------------------' | .-------. .-----------------. | '->| /sync | | /incoming |<-' | '-------' | (delivery only) | | .--------. '-----------------' '->| /blobs | '--------