search

openannotation / annotator-store

A backend store for the Annotator
http://annotateit.org/
MIT License
177 stars 66 forks source link

Documentation for the authentication #95

Closed lbenedix closed 10 years ago

lbenedix commented 10 years ago

Can you tell me what I have to do to secure my annotator-store against everybody in the internets who guesses the url annotator.foobar.com to store annotations on my server? We are developing an application with django and run the flask-annotator-store as a sepparate process on the same machine.

Lukas

tilgovi commented 10 years ago

See the example configuration in the annotator store: https://github.com/openannotation/annotator-store/blob/master/annotator.cfg.example

You have to set AUTH_ON and AUTHZ_ON in the application config and then set up an Authenticator instance as g.auth and an authorizer function as g.authorize inside a flask before_request decorator.

See run.py for an example: https://github.com/openannotation/annotator-store/blob/36b647cbfee0bd3752ee2fd5e43205b89e935e36/run.py#L48

We should probably move this issue over to openannotation/annotator-store.

The API is very simple. You need to be able to generate a JWT as the response to a token route and validate that JWT when it's passed in the X-Annotator-Auth-Token header.

The documentation here shows you which fields should be in the JWT payload: http://docs.annotatorjs.org/en/latest/authentication.html

It may also make more sense for you to write your own store using Django.

On the master branch there has been some work by @Treora to make it less flask specific. If you're interested in contributing Django integration code, I could do the same for Pyramid, and we could work together to make annotator-store a bit more generic, if we think that's still a promising project moving forward.