1. Authentication - adharapayments/REST-API GitHub Wiki
General Information:
-
This authentication service provides a valid 'token' which is required by all REST services.
-
Authentication is done in a double-step scheme (two web services must be called):
- Challenge generation from the server
- Obtain the token by providing following hash: SHA1 ( challenge + strategy_password )
-
The '+' symbol means 'concatenation' (challenge in binary concatenated with the password, in binary too)
-
Any token attack will be rejected by server after 5 failed token requests.
-
Server may block remote IP address for several minutes.
-
Server maintains the same challenge (and therefore the token) for a period of time (typically a week). However it is recommended to re-authenticate at the beginning of each trading session.
Authentication calculation sample for user 'demo' and password 'demo':
* Returned challenge : 8508C8D20447C2F5008FB6276DEB30CA73B57AE0
* Challenge response : SHA1 ( 8508C8D20447C2F5008FB6276DEB30CA73B57AE0 concatenated with 64656D6F )
= D211D1D54391DA4C00538DA273F38E400D597527
* Returned token : E79133C6902B63D2E5F5D9E9F1E658019F143675
Challenge response can be easily calculated with this online tool: http://cnp-wireless.com/Tools/sha1-luhn.php
Examples
Challenge request:
$ curl -i --data '{"getAuthorizationChallenge":{"user":"demo"}}' http://actfx.adhara.io:81/fcgi-bin/IHFTRestAuth/getAuthorizationChallenge --header 'Content-Type: application/json'
Date: Wed, 01 Jul 2015 00:00:00 GMT
Server: Apache/2.4.7 (Ubuntu)
Transfer-Encoding: chunked
Content-Type: application/json;charset=iso-8859-1
{ "getAuthorizationChallengeResponse": {
"challenge": "8508C8D20447C2F5008FB6276DEB30CA73B57AE0",
"timestamp": "1445959735.123694" }
}
Token request:
$ curl -i --data '{"getAuthorizationToken":{"user":"demo","challengeresp":"D211D1D54391DA4C00538DA273F38E400D597527"}}' http://actfx.adhara.io:81/fcgi-bin/IHFTRestAuth/getAuthorizationToken --header 'Content-Type: application/json'
HTTP/1.1 200 OK
Date: Wed, 01 Jul 2015 00:00:00 GMT
Server: Apache/2.4.7 (Ubuntu)
Transfer-Encoding: chunked
Content-Type: application/json;charset=iso-8859-1
{ "getAuthorizationTokenResponse": {
"token": "E79133C6902B63D2E5F5D9E9F1E658019F143675",
"timestamp": "1445959820.963816" }
}
getAuthorizationChallenge()
Request: getAuthorizationChallenge object
- user: Required. Strategy login assigned by the backend administrator.
Response: getAuthorizationChallengeResponse object
- challenge: Challenge generated by the server. Usually challenge do not change over a period of time (typically a week).
- timestamp: Epoch time of the response. Decimals define the number of micro-seconds. Integer part represents the seconds from "epoch" time.
getAuthorizationToken()
Request: getAuthorizationToken object
- user: Required. Strategy login assigned by the backend administrator.
- challengeresp: Required. SHA1('challenge' concatenated with 'strategy_password')
Response: getAuthorizationTokenResponse object
- token: Token generated to be used on any REST service.
- timestamp: Epoch time of the response. Decimals define the number of micro-seconds. Integer part represents the seconds from "epoch" time.
Note: If 'challengeresp' is not well-calculated, an authentication error will be returned and token will be not provided.