Generate JWT tokens from within Shaarli

[rasberry]

As far as I can tell, the only wat to access the Shaarli api involves generating a JWT externally to the shaarli application. I would prefer to have Shaarli to expose an end-point to generate a JWT token. This would make it easier to develop browser plugins since a separate server-side JWT generator is not required. The current secret mechanism works ok for server-side apps, but it's not great for browser based ones.

more detail below. Let me know what you think.

tl;dr

current option

The only current way to give 3rd party apps access to the api is to share the api secret with the 3rd party app. This is less than ideal

• the secret is not time limited
• since you are sharing the secret with another app, that app has to be updated if the secret ever changes.
• sharing secrets among multiple apps doesn't scale well
• implementing another server size app just to generate jwt tokens makes implementing a browser app more difficult
• storing the secret in a browser based app seems insecure

enhancement - simple version

This implementation would give an application access to the Shaarli api once a user is logged in. The use case for me is browser plugins

• add another ?do= route maybe named generate_jwt
• steps in the flow might look like this:
  1. 3rd party app makes a call to generate_jwt end point
  2. if user is logged in go to step 7 (vii)
  3. otherwise generate_jwt returns a 403
  4. 3rd party app redirects user to login page
  5. user logs in
  6. 3rd party app calls the generate_jwt end point
  7. user is logged in so generate_jwt returns a time-limited jwt
  8. 3rd party app calls api end-point with jwt
  9. continue calling api until api returns 403
  10. go to step 1

enhancement - more complex version

This implementation allows more general access to Shaarli, but would require a decent amount of development. The idea here is to implement fine-grained app access that the user can approve or deny.

• add a new app_access page that allows the user to approve or deny access for individual apps
• the steps in this flow might be:
  1. 3rd party app makes a call to generate_jwt end point passing an app_id
  2. if user is logged in and the app is registered generate_jwt returns a time-limited jwt
  3. otherwise generate_jwt returns a 403
  4. 3rd party app redirects user to login page
  5. user logs in
  6. 3rd party app calls the generate_jwt end point again passing an app_id
  7. if the app is not registered generate_jwt redirects to the app_access page passing the app_id
  8. the user is prompted to approve or deny the new app
  9. if the user denies the app - an entry is added and any further requests by this app_id are denied
  10. if the user approves the app - an entry is added that the user approved this app_id
  11. go to step 1

[virtadpt]

This. I had to write a separate daemon to generate JWT for an integration I'm debugging.

[ArthurHoaro]

Thanks for this interesting feedback. I'm not an expert on the subject, but from what I understand what you're describing is more or less the workflow of the OAuth2 protocol's mechanism, right? When we chose a simple JWT auth for the API, I thought it was appropriate for a single user tool such as Shaarli. But I agree that storing the secret key locally for a client sided app isn't really secured...

Now regarding your solutions, the simple one seems nice, but is even less secured. Take the example of browser addons. If I'm logged in Shaarli on this browser, and checked the "Remember me" checkbox, any addon will be able to generate a valid JWT token without any action from me.

The more complex one is the way to go, but as you said it requires a bit of dev, which IMO isn't a priority. As far as I know, there is only one app which uses the REST API, not including our python client.