Authentication - TitanNano/MakeMyIdea GitHub Wiki

This is a brief explanation of the Make My Idea authentication system.

###Mega Token The mega token consists of multiple parts:

{
    "part1" : "token string - length 128, Base64 encoded",
    "part2" : "token string - length 128, Base64 encoded",
    "part3" : "token string - length 128, Base64 encoded",
    "restore" : "token string - length 64, Base64 encoded",
    "session" : "hex string - length 128 bit"
}
  • part1: one of three tokens
  • part2: one of three tokens
  • part3: one of three tokens
  • restore: this token is used to restore a session
  • session: this is the session id, the client needs to send it with every request

###Authorization To authorize a user and obtain a new session the client needs to initiate a new OAuth flow with a third party provider. As soon as the server got the access_token from the third party provider it will send a new mega token to the client.

###Re Authorization The client is supposed to persistently store the restore token. If the client can send the restore token and the third party access_token to the server, the server will expire the current session for the given restore token and generate a new mega token.

###Authentication Each time the client sends a request to the server it has to provide the correct token part and a nonce. The token part is selected by combining the last server nonce with the last client nonce.

let client = clientNonce.split('').reduce((n, char) => n + char.charCodeAt(0), 0);
let server = serverNonce.split('').reduce((n, char) => n + char.charCodeAt(0), 0);

let merged = (server << (client.toString(16).length * 4)) | client;

let tokenPart = (merged % 3) + 1;

###Nonces Each, server and client have to generate and add an nonce to their request / response. For each response the server should send back the nonce the client sent. The client on the other hand is supposed to provide the last server nonce with it's next request.

A nonce is supposed to be an base64 encoded string with a length of 64 characters created from a random selection of characters from an [A-Za-z] dictionary.

###Authentication Headers

Auth-Nonce: bnRhTG9zQ0xVVWFPVEh5TUFISUlKVVFDSE1ZRGVnd3hSWFZWRHRUTG9KcU9lUWdwVmdNa0lUZ3J0V3JXVlZQTQ==
Auth-Token: SEpYWVJIRnNIQkdSd0hWellwaGluT2pXb1ZSbmhQekVOc2hrYW9lVHJBVG1jZmZnR2VGaWpnbXdBaFVGdFBQbVZ2dkJtVUpQcmxpdFVCWnhmT3FFbWhXa3FuVkNXaWpabE9CZ0ZxWVZtcGlvWWxDWFViQ0VicVZtcVVoRnZ5R1I=
Auth-Session: 1bfec109569983b4faf972298a296a8e