meta-tech/pws-auth

PwsAuth is an authentication protocol throught http header designed to web services

PwsAuth

PwsAuth is an authentication protocol throught http header designed to web services, _(*1)

Request Headers

Request headers must be define as follow :, _(*2)

Pws-Authorization : $type $token
Pws-Ident : $userkey

The $token can be either a loginToken or a sessionToken, _(*3)

The $token is divided in four part, _(*4)

• a datetime formatted with the Authenticator::DATE_FORMAT format
• an obfuscate part 's token builded by date, common salt & the third token 's part
• a loginToken representing a user signed token for a specific login at given date OR a session token representing the session id
• noise data to be removed

The complete token is valid only if obfuscate part can be rebuild.
This simple mecanism ensure that sessionId is valid and can be safety load, _(*5)

Authenticator 's configuration comes with a hash.session.index and hash.noise.length values wich can be redefined to move the session token part into the complete token, _(*6)

                                                    << hash.session.index >>                             << hash.noise.length >>
|-----------------------------------------------------------<<-^->>---------------------------------------------<<-^->>--------|
|- type ||-- date ---|------------ obfuscate token ---------<<-^->>-------------- session token ----------------<<-^->> noise -|
|       ||     1     |                    2                    |                         3                         |     4     |
 PwsAuth2 242003031711e1a6104135f04c6c01e6cd5952ecafbb53c928603b0gb64tqo609qse6ovd7lhdvk4fnaqk7cdl26e4d4qh7jb41eu5f1zb5y79m8pgu3

Requirements

PHP >= 5.4, _(*7)

Install

The package can be installed using Composer ., _(*8)

composer require meta-tech/pws-auth

Or add the package to your composer.json., _(*9)

"require": {
    "meta-tech/pws-auth" : "^2.1"
}

Authenticator instanciation

<?php
require_once(__dir__ . '/vendor/autoload.php');

use Symfony\Component\Yaml\Yaml;
use MetaTech\PwsAuth\Authenticator;

$config        = Yaml::parse(file_get_contents(__dir__ . '/config/pwsauth.yml'));
$authenticator = new Authenticator($config);

ClientSide

A request header can be generated via the generateHeader($login, $key, $sessid=null) method.
The third parameter determine wich kind of token will be generated, _(*10)

for a client usage, see  MetaTech\Ws\Client , _(*11)

ServerSide

The Token can be retriew via the getToken method, _(*12)

loginToken is validate by the check(Token $token = null, $login) method
loginToken must match a public url with method POST and a couple of login/password
On successfull login, the session id must be transmit to the client., _(*13)

sessionToken is valid only if the session can effectively be loaded, and the user key match the given Pws-Ident value, _(*14)

for a server usage, see MetaTech\Silex\Ws\Authentication and meta-tech/pws-server ., _(*15)

Configuration

Configuration must be the same on server and client sides
Hash definition is a convenient way to obfuscate your tokens, _(*16)

config/pwsauth.yml, _(*17)

type    : PwsAuth2

header  :
    auth            : Pws-Authorization
    ident           : Pws-Ident

salt    : 
    common          : jK5#p9Mh5.Zv}
    # used for generating user specific salt
    user.index      : 10
    user.length     : 12

hash    :
    sep             : /
    algo            : sha256
    # effective token length size. out of bound data is simply noise
    length          : 52
    # session index (or obfuscate length)
    session.index   : 58
    # ending noise data length)
    noise.length    : 12

Notes

A valid $userkey alone is useless
A valid $sessionId alone is useless, _(*18)

License

The project is released under the MIT license, see the LICENSE file., _(*19)