SudoSOS Back-end API / authentication
authentication ​
Authentication within SudoSOS is based around JWT tokens. However, there are many ways to retrieve a JWT token, and the token itself is not stored in SudoSOS. Instead, the token is stored in the user's browser, and is sent with every request to SudoSOS.
The received JWT token is then validated by SudoSOS. If the token is valid, the api request is authorized and is processed.
To retrieve a JWT token, a user can use one of the following methods:
- GEWIS Web Authentication.
- PIN Authentication.
- LDAP Authentication.
- NFC Authentication.
- API Key Authentication.
- EAN (barcode) authentication.
Most of these methods are a hash-based authentication method, where a secret is hashed and stored in the database, and later compared against the input of the user.
Enumerations ​
| Enumeration | Description |
|---|---|
| QRAuthenticatorStatus | - |
Classes ​
| Class | Description |
|---|---|
| AuthenticationMethod | The AuthenticationMethod is the base class for all authentication methods. It simply stores the user it is for. |
| EanAuthenticator | The EAN Authenticator is used to authenticate users using EAN codes. These are only used by "voucher" accounts, see User. |
| HashBasedAuthenticationMethod | HashBasedAuthenticationMethod is the base class for all authentication methods that use a hash. |
| JsonWebToken | The contents of the JWT used for user authentication. |
| KeyAuthenticator | The Key Authenticator is used for API key-based authentication in SudoSOS. This authentication method allows programmatic access to the system using pre-generated API keys instead of user credentials. |
| LDAPAuthenticator | The LDAP Authenticator is used to authenticate users using LDAP. This process contains some design decisions that are highlighted below. |
| LocalAuthenticator | The Local Authenticator is used for users who have local accounts in SudoSOS. This authentication method allows users to create accounts directly in the system without relying on external authentication providers like LDAP. |
| MemberAuthenticationController | The member authentication controller is responsible for: - Verifying member user authentications by memberId. - Handing out json web tokens. |
| MemberAuthenticationSecureController | Handles authenticated-only member authentication endpoints for secure PIN authentication. All endpoints require valid JWT tokens and build upon existing authentication. |
| NfcAuthenticator | The NFC Authenticator is used for Near Field Communication (NFC) card-based authentication. This authentication method allows users to authenticate using physical NFC cards or tags by simply tapping them against an NFC reader. |
| PinAuthenticator | PIN Authentication can return a lesser JWT token (when posId is provided) and should only be used for authenticating at a point of sale. The reason for returning a lesser JWT token is to prevent brute-force attacks, since PINs are 4-digit numbers and could easily be guessed. A token is considered "lesser" if it has a posId property set. |
| QRAuthenticator | The QR Authenticator enables QR code-based authentication in SudoSOS. This authentication method allows users to authenticate by scanning a QR code with their mobile device, providing a convenient and secure authentication flow. |
| ResetToken | - |
| TokenHandler | This class is responsible for key management, the signing, validation, and refreshing of JWT. |