Skip to content

Instantly share code, notes, and snippets.

@abstractj

abstractj/security_draft.md Secret

Created July 4, 2012 15:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save abstractj/23c932d971f28d8ba1b5 to your computer and use it in GitHub Desktop.
Save abstractj/23c932d971f28d8ba1b5 to your computer and use it in GitHub Desktop.
Download ZIP
Initial security API draft
Raw
security_draft.md

Security API - draft 0.1 (work in progress)

This is a initial proposal on having a very simple autentication layer.

Disclaimer

Every single piece of code here represent few simple ideas that must to be tested in practice and will be modifed across the development process.

Client API

Requirements

  • Offer ease of use APIs
  • Provide flexible authentication solution
  • Cross-browser implementation
  • Respect user's privacy

References

Features

Authentication

aerogear.auth

A aerogear.auth is just a wrapper to support multiple authentication providers, allows you to be explicit on which technology must be used.

When creating an aerogear.auth, the host property is optional and if not present the location where the application lives will be assumed. This will point out the place where the REST resources are hosted.

Example:

//Create an instance of aerogear.auth
var auth = aerogear.auth({
	host: "http://mydefaulthost.com"
});

The provider enables user to pick the desired implementation provider and exposes a consistent interface to easily work with it. This attribute is optional and if not present the default REST authentication method will be assumed.

Example:

//Create an instance of aerogear.auth
var auth = aerogear.auth({
	provider: "browserid" //or oauth2
	host: "http://mydefaulthost.com"
});

aerogear.auth.signup

Aims to provide a flexible registration method representing the properties defined in the server side based on user's input. Following the basic authentication flow above.

signup

Example:

var result = aerogear.auth.signup({
	username: "john", 
	password: "doe",
	email: "john@doe.com"
});

aerogear.auth.signin

The authentication parameters must be defined on the server side, since we are dealing with several authentication methods, we must allow a variable number of attributes. In this specific case, user will be authenticated providing username/password for example and the user's state will be created in the server session.

signin

Example:

//Sign-up request
var result = aerogear.auth.signin({
	username: "john", 
	password: "doe"
});

aerogear.auth.signout

Ends the session of the authenticated user.

signout

Example:

var result = aerogear.auth.signout();

REST Authentication API

The REST resources could be generated to provide the basics for authentication.

POST

auth/signup

Resource URL

http://johndoe.com/auth/signup

Example Request

{
	"username": "john", 
	"password": "doe",
	"email": "john@doe.com"
}

auth/signin

Resource URL

http://johndoe.com/auth/signin

Example Request

{
	"username": "john", 
	"password": "doe",
}

auth/signout

Resource URL

http://johndoe.com/auth/:id/logout

Example Request

//http://johndoe.com/auth/logout
{
	"request": "/auth/logout"
}

Aerogear.next

Authentication

  • REST support
  • Oauth2 support
  • BrowserID support

aerogear.encryptors

  • aerogear.encryptors.SipHash
  • aerogear.encryptors.SHA1
  • aerogear.encryptors.SHA_256
  • aerogear.encryptors.AES

Open questions

  • The authentication methods proposed are enough? Do we need token support with key derivation on the server side? Something like this:

token

  • HTTPS has the security necessary to data transport. Do we need to care about environments where HTTPS is not provided or supported?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment