Authorization and Authentication

Authentication and authorization only work with release mode, so cargo run --release is required.

Some environment variables are also required:

AUTH_HASHING_COST=8 
ADMIN=your_admin
ADMIN_PASSWORD=your_password
  • AUTH_HASHING_COST is the hashing cost for password in the authentication system.
  • ADMIN is the admin's user id.
  • ADMIN_PASSWORD is the admin's user password.

One optional environment variable can be used to configure the time to expirate a session token. SESSION_EXPIRATION_TIME has a default value of 3600 seconds, or 1 hour.

Creating new users

  • ADMIN is the only user role capable of creating new users. For now there can only be one ADMIN.

To create a new user, POST at /auth/createUser with your admin credentials and the new user info as follows (in RON format):

(
  admin_id: "your_admin",
  admin_password: "your_password",
  user_info: (
    user_password: "my_password",
    role: [User,],
  ),
)

User information consists of the user's password to be used and the user's roles. Remember to always put , at the end. Response to this request will be (user_id: \"<some-uuid>\",), containing the user's unique ID.

Available user roles are:

  • ADMIN - works primarily at /auth/createUser.
  • USER - works on all /wql/query, /wql/tx and /auth/putUserSession.
  • WRITE - only works on /wql/tx and /auth/putUserSession.
  • READ - only works on /wql/query and /auth/putUserSession.
  • HISTORY - only works on /entity-history.
  • New roles to be added as needed.

Getting a session token

To make a request at WQL endpoints you need a session token that will expire within 3600 seconds. To retrieve a session token you need to PUT at endpoint /auth/putUserSession your user credentials as follows (in RON format):

(id: "<user_id>", user_password: "<user_password>",)

Response will be a plain/text with your token.

Making auth requests to /wql/tx and /wql/query.

To avoid authentication and authorization errors, add your token to the authorization bearer header, Authorization: Bearer <your session token>. Your user needs the correct session token and the correct role for this request.

Deleting users

  • ADMIN is the only user role capable of creating new users. For now there can only be one ADMIN.

To delete a list of users, POST at /auth/deleteUsers with your admin credentials and the users ids you want to delete as follows (in RON format):

(
  admin_id: "your_admin",
  admin_password: "your_password",
  users_ids: [
    "<uui1>",
    "<uui2>",
    "<uui3>",
  ],
)

The response will be a vector containing all Uuids sent or an error FailedToDeleteUsers.

TODOs:

  • Adding other admins and removing admins is not yet implemented.