Closed kpuputti closed 7 years ago
This PR adds authentication to all API requests using JWT.
The token is parsed from the Authorization HTTP header:
Authorization: Token <jwt token>
and it is unsigned and validated against the following schema:
(s/defschema TokenData {:marketplaceId s/Uuid :actorId s/Uuid :role (s/enum :user :admin :superAdmin) :exp s/Int})
where :exp is the standard JWT expiration timestamp claim that must be more than the current time.
:exp
The authentication can be controlled from the configuration:
:api-authentication {:disable-authentication #config/prop ["DISABLE_API_AUTHENTICATION" "false"] :token-secrets #config/prop ["AUTH_TOKEN_SECRETS" "secret_key1,secret_key2"]}
Where the collection of comma separated secrets can be used for rolling new authentication secrets in sync with other applications.
This PR adds authentication to all API requests using JWT.
The token is parsed from the Authorization HTTP header:
and it is unsigned and validated against the following schema:
where
:expis the standard JWT expiration timestamp claim that must be more than the current time.The authentication can be controlled from the configuration:
Where the collection of comma separated secrets can be used for rolling new authentication secrets in sync with other applications.