mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2025-05-14 15:14:56 -04:00
docs: Merge API Authentication docs
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren
parent
1093da4a39
commit
58f306a38c
4 changed files with 30 additions and 23 deletions
29
docs/content/dev/design_docs/api_auth.md
Normal file
29
docs/content/dev/design_docs/api_auth.md
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
# API Authentication
|
||||
|
||||
## Public API
|
||||
All requests to the public API require authentication using a [bearer token](https://datatracker.ietf.org/doc/html/rfc6750).
|
||||
|
||||
This token can be generated using the profile page in the frontend
|
||||
(which in turn uses the private API to generate the token).
|
||||
|
||||
## Private API
|
||||
|
||||
The private API uses a session cookie to authenticate the user.
|
||||
Sessions are handled using passport.js.
|
||||
|
||||
The backend hands out a new session token after the user has successfully authenticated
|
||||
using one of the supported authentication methods:
|
||||
|
||||
- Username & Password (`local`)
|
||||
- LDAP
|
||||
- SAML
|
||||
- OAuth2
|
||||
- GitLab
|
||||
- GitHub
|
||||
- Facebook
|
||||
- Twitter
|
||||
- Dropbox
|
||||
- Google
|
||||
|
||||
The `SessionGuard`, which is added to each (appropriate) controller method of the private API,
|
||||
checks if the provided session is still valid and provides the controller method with the correct user.
|
||||
Loading…
Add table
Add a link
Reference in a new issue