-
Notifications
You must be signed in to change notification settings - Fork 2
Authentication
Vignesh Rao edited this page Feb 1, 2024
·
1 revision
PyStream uses two ways of authentication, the username and password to gain access to the server and
a session_token generated by the server to access directories and streaming content.
- UI creates hex values for username and password using native JS
- These hex values are then used the calculate the hash
- Calculated hash is then base64 encoded using native JS, before sending the signature to the API in an authorization header
- API decodes the base64 encoded ascii string, then decodes the HEX received in authorization header
- Then the value is broken down to, username, signature and timestamp
- The decoded username is used to get the stored password from env variables, which are then hex encoded
- API creates a hash signature using the hex username, hex password, and the timestamp
- These signatures are then compared for authentication purpose
- Once the login has been successful, the API creates a randomly generated 64 bit url safe token
- This token is stored as unique key for each user
- The API then forms a payload with the username, key, and the timestamp
- This payload is then encrypted using Cryptography's Fernet, which can be retrieved only using the key
- This encrypted payload is stored as a cookie before sending a
JSONResponsewith aredirect_url
Since the UI uses
AJAXfor authentication POST call, aRedirectResponsefrom FastAPI will not work, as the call will simply follow the redirect toGETthe content instead of redirecting the page.
- The
redirect_urlfrom the JSON response is fetched, to alterlocation.href
This form of redirect will transfer cookies to the new page but not the headers, so the username and password are lost in the frontend at this point
- From then on, all calls to the backend including redirects, directory navigation and, streaming will carry the cookie
- The
session_tokenis the only form of authentication from this point onward