/
Authentication services (proposed set)

Authentication services (proposed set)

Nov 22, 2013

Exists

Method

URI

Auth filtered?

Body

Parameters

Return value

Description

Differences

(from existing methods)

POST

/session

LoginCredentials

 

Session

Normal login

Does not fail if the user has not signed the terms of use. Instead, a boolean is returned along with the session token. The client can use that boolean to throw a TermsOfUseException.

Note: trying to make an authenticated request will still fail if the terms haven't been accepted.

Terms of use cannot be signed here.

PUT

/session

Session

 

 

Revalidates a session token.

Note: This will still fail (403) if the user has not signed the terms of use.

DELETE

/session

 

 

 

Invalidated token

 

POST

/user

NewUser

sendPasswordmail=true

(Not implemented yet)

 

Creates a new user

No longer goes through the auth filter. This was originally done because GET /user was filtered.

Parameter will let the client specify if Synapse should sent a "Welcome" email or a "Set your password" email.

POST

/user/password

ChangePasswordRequest

 

 

Changes the user's password, regardless of whether they have accepted the terms of use

Replaces /changePassword and /registeringUserPassword

POST

/user/password/email

Username

 

 

Sends a password reset email (containing a session token)

Replaces /registeringUserEmail, /userPasswordEmail, and /apiPasswordEmail

POST

/termsOfUse

Session

 

 

Accepts the terms of use via a session token

New method

GET

/secretKey

 

 

SecretKey

Gets the user's API key

 

DELETE

/secretKey

 

 

 

Invalidates the user's API key

 

POST

/openIdCallback

 

(OpenID params)

acceptsTermsOfUse=false

createUserIfNecessary=false

Session

Login via OpenID, with options to create a new user and sign the terms of use

Terms of use cannot be signed here.

Behavior clarifications

  • Other than PUT /session, methods that do not pass through the auth filter will no longer fail if the user has not signed the terms of use.  PUT /session mimics what the auth filter does, so it still throws TermsOfUseExceptions.  

  • It will be the client's job to throw an appropriate exception if a Session object is returned with "acceptsTermsOfUse" set to false.

  • It will be possible to explicitly reject the terms of use.  

Schema changes

  • Session will have an extra field "acceptsTermsOfUse" 

  • UserSessionData will hold a Session object rather than a "sessionToken" field

  • ChangePasswordRequest will be added

    • SessionToken

    • Password

  • RegistrationInfo will be removed

  • ChangeUserPassword will be removed

Portal changes

  • Any password email sending will use POST /user/password/email

  • Any password changing will use POST /user/password

    • A separate prefix (i.e "register_" or "changePassword_" will no longer be required)

    • We may want to consider removing the prefix entirely 

  • Login should detect if a user has not signed the terms via the new field (rather than a 403 error)

    • Redirect/show dialog appropriately

    • Clicking OK on the dialog should POST /termsOfUse

Should session tokens only be valid for <24 hours?

30 minutes is generally considered a compromise between security and convenience.