When the built-in plugin kinto.plugins.accounts
is enabled in configuration, it becomes possible to manage accounts via a new resource /accounts
.
Via this endpoint, users can sign-up, modify their password or delete their account. Administrators configured in settings can manage users accounts.
Details about accounts configuration are given in the settings section <settings-accounts>
.
Basically, you can check if the accounts
feature is enabled if it is mentioned in the "capabilities"
field on the root URL <api-utilities-hello>
.
Accounts are defined using a username and a password, and uses Basic Authentication.
For example, once the bob
account has been created (see below), you can check if authentication works using the root URL <api-utilities-hello>
.
bash
$ http GET http://localhost:8888/v1/ --auth bob:azerty123
http
GET /v1/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate Authorization: Basic Ym9iOmF6ZXJ0eTEyMw== Connection: keep-alive Host: localhost:8888 User-Agent: HTTPie/0.9.8
http
HTTP/1.1 200 OK Access-Control-Expose-Headers: Alert, Backoff, Content-Length, Retry-After Content-Length: 448 Content-Type: application/json Date: Tue, 21 Mar 2017 14:40:14 GMT Server: waitress X-Content-Type-Options: nosniff
- {
- "capabilities": {
- "accounts": {
"description": "Manage user accounts.", "url": "http://kinto.readthedocs.io/en/latest/api/1.x/accounts.html"
}
}, "http_api_version": 1.16, "project_docs": "https://kinto.readthedocs.io/", "project_name": "kinto", "project_version": "6.1.0.dev0", "settings": { "batch_max_requests": 25, "readonly": false }, "url": "http://localhost:8888/v1/", "user": { "id": "account:bob", "principals": [ "account:bob", "system.Everyone", "system.Authenticated" ] }
}
Alternatively, accounts can be created using POST. Supply the user id and password in the request body and remove user id from the URL. The following request is equivalent to the example PUT call:
bash
$ echo '{"data": {"id": "bob", "password": "azerty123"}}' | http POST http://localhost:8888/v1/accounts --verbose
Note
Depending on the configuration <settings-accounts>
, you may not be allowed to create accounts.
It is possible to configure administrators in settings. They will be able to manage others users accounts.
For example, create somebody else account:
$ echo '{"data": {"id": "sam-body", "password": "else"}}' | http POST http://localhost:8888/v1/accounts --auth admin:s3cr3t
List accounts:
$ http GET http://localhost:8888/v1/accounts --auth admin:s3cr3t
Or delete some account:
$ http DELETE http://localhost:8888/v1/accounts/sam-body --auth admin:s3cr3t
When the account_validation
option is enabled in the settings
<settings-account-validation>
, account IDs need to be valid email addresses: they need to match the regexp in the account_validation.email_regexp
setting. The default one is very generic, but you may restrict it to only allow certain emails, for example only ones from a specific domain.
To make sure the account_validation
is enabled, you can check if the validation_enabled
flag is true
in the "accounts"
field on the root URL <api-utilities-hello>
.
If the account_validation
option in the settings
<settings-account-validation>
has been enabled, a temporary reset password may be requested through the endpoint available at /accounts/(user id)/reset-password.
Using this temporary reset password, one can update the account <accounts-update>
providing the new password.