This is a initial proposal on having a very simple autentication layer.
Every single piece of code here represent few simple ideas that must to be tested in practice and will be modifed across the development process.
- Offer ease of use APIs
- Provide flexible authentication solution
- Cross-browser implementation
- Respect user's privacy
- http://browserid.org
- https://github.com/mozilla/browserid-ios
- http://oauth.net/2/
- https://github.com/plataformatec/devise/
- http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol (SRP)
- https://github.com/jedisct1/siphash-js
- https://github.com/bitwiseshiftleft/sjcl
A aerogear.auth is just a wrapper to support multiple authentication providers, allows you to be explicit on which technology must be used.
When creating an aerogear.auth, the host property is optional and if not present the location where the application lives will be assumed. This will point out the place where the REST resources are hosted.
//Create an instance of aerogear.auth
var auth = aerogear.auth({
host: "http://mydefaulthost.com"
});
The provider enables user to pick the desired implementation provider and exposes a consistent interface to easily work with it. This attribute is optional and if not present the default REST authentication method will be assumed.
//Create an instance of aerogear.auth
var auth = aerogear.auth({
provider: "browserid" //or oauth2
host: "http://mydefaulthost.com"
});
Aims to provide a flexible registration method representing the properties defined in the server side based on user's input. Following the basic authentication flow above.
var result = aerogear.auth.signup({
username: "john",
password: "doe",
email: "john@doe.com"
});
The authentication parameters must be defined on the server side, since we are dealing with several authentication methods, we must allow a variable number of attributes. In this specific case, user will be authenticated providing username/password for example and the user's state will be created in the server session.
//Sign-up request
var result = aerogear.auth.signin({
username: "john",
password: "doe"
});
Ends the session of the authenticated user.
var result = aerogear.auth.signout();
The REST resources could be generated to provide the basics for authentication.
http://johndoe.com/auth/signup
{
"username": "john",
"password": "doe",
"email": "john@doe.com"
}
http://johndoe.com/auth/signin
{
"username": "john",
"password": "doe",
}
http://johndoe.com/auth/:id/logout
//http://johndoe.com/auth/logout
{
"request": "/auth/logout"
}
- REST support
- Oauth2 support
- BrowserID support
- aerogear.encryptors.SipHash
- aerogear.encryptors.SHA1
- aerogear.encryptors.SHA_256
- aerogear.encryptors.AES
- The authentication methods proposed are enough? Do we need token support with key derivation on the server side? Something like this:
- HTTPS has the security necessary to data transport. Do we need to care about environments where HTTPS is not provided or supported?