-
-
Notifications
You must be signed in to change notification settings - Fork 420
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[REST Auth] API tokens & openhab:users console command #1735
Commits on Oct 20, 2020
-
[REST Auth] API tokens & openhab:users console command
This adds API tokens as a new credential type. Their format is: `oh.<name>.<random chars>` The "oh." prefix is used to tell them apart from a JWT access token, because they're both used as a Bearer authorization scheme, but there is no semantic value attached to any of the other parts. They are stored hashed in the user's profile, and can be listed, added or removed managed with the new `openhab:users` console command. Currently the scopes are still not checked, but ultimately they could be, for instance a scope of e.g. `user admin.items` would mean that the API token can be used to perform user operations like retrieving info or sending a command, _and_ managing the items, but nothing else - even if the user has more permissions because of their role (which will of course still be checked). Tokens are normally passed in the Authorization header with the Bearer scheme, or the X-OPENHAB-TOKEN header, like access tokens. As a special exception, API tokens can also be used with the Basic authorization scheme, **even if the allowBasicAuth** option is not enabled in the "API Security" service, because there's no additional security risk in allowing that. In that case, the token should be passed as the username and the password MUST be empty. In short, this means that all these curl commands will work: - `curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox` - `curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox` - `curl -u '<token>[:]' http://localhost:8080/rest/inbox` - `curl http://<token>@localhost:8080/rest/inbox` 2 REST API operations were adding to the AuthResource, to allow authenticated users to list their tokens or remove (revoke) one. Self-service for creating a token or changing the password is more sensitive so these should be handled with a servlet and pages devoid of any JavaScript instead of REST API calls, therefore for now they'll have to be done with the console. This also fixes regressions introduced with openhab#1713 - the operations annotated with @RolesAllowed({ Role.USER }) only were not authorized for administrators anymore. Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for b459cbc - Browse repository at this point
Copy the full SHA b459cbcView commit details -
Generate a unique salt for each token
Reusing the password salt is bad practice, and changing the password changes the salt as well which makes all tokens invalid. Put the salt in the same field as the hash (concatenated with a separator) to avoid modifying the JSON DB schema. Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for 9d099c7 - Browse repository at this point
Copy the full SHA 9d099c7View commit details -
Fix API token authentication, make scope available to security context
The X-OPENHAB-TOKEN header now has priority over the Authorization header to credentials, if both are set. Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for fe67008 - Browse repository at this point
Copy the full SHA fe67008View commit details -
Add self-service pages to change password & create new API token
Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for 07de0ce - Browse repository at this point
Copy the full SHA 07de0ceView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6d9cbf9 - Browse repository at this point
Copy the full SHA 6d9cbf9View commit details
Commits on Oct 22, 2020
-
Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for ea523af - Browse repository at this point
Copy the full SHA ea523afView commit details -
Configuration menu - View commit details
-
Copy full SHA for 62c4e6f - Browse repository at this point
Copy the full SHA 62c4e6fView commit details -
Fix error message when token name doesn't match pattern
Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for f051da1 - Browse repository at this point
Copy the full SHA f051da1View commit details
Commits on Oct 23, 2020
-
Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for 0bbaa29 - Browse repository at this point
Copy the full SHA 0bbaa29View commit details -
Fix removeUserSession in UserRegistryImpl
Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for d5bf4a4 - Browse repository at this point
Copy the full SHA d5bf4a4View commit details -
Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for e486af4 - Browse repository at this point
Copy the full SHA e486af4View commit details
Commits on Oct 25, 2020
-
Fix null annotations warnings in TokenResource
Signed-off-by: Yannick Schaus <github@schaus.net>
Configuration menu - View commit details
-
Copy full SHA for ef5f4a7 - Browse repository at this point
Copy the full SHA ef5f4a7View commit details