1. Authentication - adharapayments/REST-API GitHub Wiki

General Information:

  • This authentication service provides a valid 'token' which is required by all REST services.

  • Authentication is done in a double-step scheme (two web services must be called):

    1. Challenge generation from the server
    2. Obtain the token by providing following hash: SHA1 ( challenge + strategy_password )

  • The '+' symbol means 'concatenation' (challenge in binary concatenated with the password, in binary too)

  • Any token attack will be rejected by server after 5 failed token requests.

  • Server may block remote IP address for several minutes.

  • Server maintains the same challenge (and therefore the token) for a period of time (typically a week). However it is recommended to re-authenticate at the beginning of each trading session.

Authentication calculation sample for user 'demo' and password 'demo':

* Returned challenge : 8508C8D20447C2F5008FB6276DEB30CA73B57AE0
* Challenge response : SHA1 ( 8508C8D20447C2F5008FB6276DEB30CA73B57AE0 concatenated with 64656D6F )
                     = D211D1D54391DA4C00538DA273F38E400D597527
* Returned token     : E79133C6902B63D2E5F5D9E9F1E658019F143675

Challenge response can be easily calculated with this online tool: http://cnp-wireless.com/Tools/sha1-luhn.php

Examples

Challenge request:

$ curl -i --data '{"getAuthorizationChallenge":{"user":"demo"}}' http://actfx.adhara.io:81/fcgi-bin/IHFTRestAuth/getAuthorizationChallenge --header 'Content-Type: application/json'

Date: Wed, 01 Jul 2015 00:00:00 GMT
Server: Apache/2.4.7 (Ubuntu)
Transfer-Encoding: chunked
Content-Type: application/json;charset=iso-8859-1

{ "getAuthorizationChallengeResponse": {
   "challenge": "8508C8D20447C2F5008FB6276DEB30CA73B57AE0",
   "timestamp": "1445959735.123694" }
}

Token request:

$ curl -i --data '{"getAuthorizationToken":{"user":"demo","challengeresp":"D211D1D54391DA4C00538DA273F38E400D597527"}}' http://actfx.adhara.io:81/fcgi-bin/IHFTRestAuth/getAuthorizationToken --header 'Content-Type: application/json'

HTTP/1.1 200 OK
Date: Wed, 01 Jul 2015 00:00:00 GMT
Server: Apache/2.4.7 (Ubuntu)
Transfer-Encoding: chunked
Content-Type: application/json;charset=iso-8859-1

{ "getAuthorizationTokenResponse": {
   "token": "E79133C6902B63D2E5F5D9E9F1E658019F143675",
   "timestamp": "1445959820.963816" }
}

getAuthorizationChallenge()

Request: getAuthorizationChallenge object

  • user: Required. Strategy login assigned by the backend administrator.

Response: getAuthorizationChallengeResponse object

  • challenge: Challenge generated by the server. Usually challenge do not change over a period of time (typically a week).
  • timestamp: Epoch time of the response. Decimals define the number of micro-seconds. Integer part represents the seconds from "epoch" time.

getAuthorizationToken()

Request: getAuthorizationToken object

  • user: Required. Strategy login assigned by the backend administrator.
  • challengeresp: Required. SHA1('challenge' concatenated with 'strategy_password')

Response: getAuthorizationTokenResponse object

  • token: Token generated to be used on any REST service.
  • timestamp: Epoch time of the response. Decimals define the number of micro-seconds. Integer part represents the seconds from "epoch" time.

Note: If 'challengeresp' is not well-calculated, an authentication error will be returned and token will be not provided.