pws-auth/README.md

# PwsAuth

PwsAuth is an authentication protocol throught http header designed to web services

## Request Headers

Request headers must be define as follow  :

    Pws-Authorization : $type $token
    Pws-Ident : $userkey

The **$token** can be either a `loginToken` or a `sessionToken`

The **$token** is divided in four part

* a datetime formatted with the `Authenticator::DATE_FORMAT` format
* an obfuscate part 's token builded by date, common salt & the third token 's part
* a loginToken representing a user signed token for a specific login at given date
  OR 
  a session token representing the session id
* noise data to be removed

The complete token is valid only if obfuscate part can be rebuild.  
This simple mecanism ensure that **sessionId** is valid and can be safety load

Authenticator 's configuration comes with a `hash.session.index` and `hash.noise.length` values 
wich can be redefined to move the session token part into the complete token

                                                        << hash.session.index >>                             << hash.noise.length >>
    |-----------------------------------------------------------<<-^->>---------------------------------------------<<-^->>--------|
    |- type ||-- date ---|------------ obfuscate token ---------<<-^->>-------------- session token ----------------<<-^->> noise -|
    |       ||     1     |                    2                    |                         3                         |     4     |
     PwsAuth2 242003031711e1a6104135f04c6c01e6cd5952ecafbb53c928603b0gb64tqo609qse6ovd7lhdvk4fnaqk7cdl26e4d4qh7jb41eu5f1zb5y79m8pgu3


### ClientSide

A request header can be generated via the `generateHeader($login, $key, $sessid=null)` method.  
The third parameter determine wich kind of token will be generated

### ServerSide

The Token can be retriew via the `getToken` method

`loginToken` is validate by the `check(Token $token = null, $login)` method  
`loginToken` must match a public url with method `POST` and a couple of login/password  
On successfull login, the session id must be transmit to the client.

`sessionToken` is valid only if the session can effectively be loaded, and the 
user key match the given `Pws-Ident` value

### Configuration

Configuration must be the same on server and client sides  
Hash definition is a convenient way to obfuscate your tokens  

`config/pwsauth.yml`

```yaml

type    : PwsAuth2

header  :
    auth            : Pws-Authorization
    ident           : Pws-Ident

salt    : 
    common          : jK5#p9Mh5.Zv}
    # used for generating user specific salt
    user.index      : 10
    user.length     : 12

hash    :
    sep             : /
    algo            : sha256
    # effective token length size. out of bound data is simply noise
    length          : 52
    # session index (or obfuscate length)
    session.index   : 58
    # ending noise data length)
    noise.length    : 12
```

### Authenticator instanciation

```php
<?php
require_once(__dir__ . '/vendor/autoload.php');

use Symfony\Component\Yaml\Yaml;
use MetaTech\PwsAuth\Authenticator;

$config        = Yaml::parse(file_get_contents(__dir__ . '/config/pwsauth.yml'));
$authenticator = new Authenticator($config);
```

### Notes

A valid `$userkey` alone is useless  
A valid `$sessionId` alone is useless
Initial commit 2017-03-11 14:04:42 +00:00			`# PwsAuth`

			`PwsAuth is an authentication protocol throught http header designed to web services`

			`## Request Headers`

update README 2017-03-13 14:58:15 +00:00			`Request headers must be define as follow :`
Initial commit 2017-03-11 14:04:42 +00:00
			`Pws-Authorization : $type $token`
			`Pws-Ident : $userkey`

update README 2017-03-13 14:58:15 +00:00			The $token can be either a `loginToken` or a `sessionToken`
Initial commit 2017-03-11 14:04:42 +00:00
update README 2017-03-13 14:58:15 +00:00			`The $token is divided in four part`
Initial commit 2017-03-11 14:04:42 +00:00
			* a datetime formatted with the `Authenticator::DATE_FORMAT` format
			`* an obfuscate part 's token builded by date, common salt & the third token 's part`
			`* a loginToken representing a user signed token for a specific login at given date`
			`OR`
			`a session token representing the session id`
			`* noise data to be removed`

update README 2017-03-13 14:58:15 +00:00			`The complete token is valid only if obfuscate part can be rebuild.`
			`This simple mecanism ensure that sessionId is valid and can be safety load`
Initial commit 2017-03-11 14:04:42 +00:00
			Authenticator 's configuration comes with a `hash.session.index` and `hash.noise.length` values
			`wich can be redefined to move the session token part into the complete token`

			`<< hash.session.index >> << hash.noise.length >>`
			`\|-----------------------------------------------------------<<-^->>---------------------------------------------<<-^->>--------\|`
update README & fix config filename 2017-03-14 20:09:48 +00:00			`\|- type \|\|-- date ---\|------------ obfuscate token ---------<<-^->>-------------- session token ----------------<<-^->> noise -\|`
			`\| \|\| 1 \| 2 \| 3 \| 4 \|`
Initial commit 2017-03-11 14:04:42 +00:00			`PwsAuth2 242003031711e1a6104135f04c6c01e6cd5952ecafbb53c928603b0gb64tqo609qse6ovd7lhdvk4fnaqk7cdl26e4d4qh7jb41eu5f1zb5y79m8pgu3`


			`### ClientSide`

update README 2017-03-13 14:58:15 +00:00			A request header can be generated via the `generateHeader($login, $key, $sessid=null)` method.
			`The third parameter determine wich kind of token will be generated`
Initial commit 2017-03-11 14:04:42 +00:00
			`### ServerSide`

update README 2017-03-13 14:58:15 +00:00			The Token can be retriew via the `getToken` method
Initial commit 2017-03-11 14:04:42 +00:00
update README 2017-03-13 14:58:15 +00:00			`loginToken` is validate by the `check(Token $token = null, $login)` method
			`loginToken` must match a public url with method `POST` and a couple of login/password
			`On successfull login, the session id must be transmit to the client.`
Initial commit 2017-03-11 14:04:42 +00:00
			`sessionToken` is valid only if the session can effectively be loaded, and the
			user key match the given `Pws-Ident` value

			`### Configuration`

update README 2017-03-13 14:58:15 +00:00			`Configuration must be the same on server and client sides`
			`Hash definition is a convenient way to obfuscate your tokens`
Initial commit 2017-03-11 14:04:42 +00:00
update README & fix config filename 2017-03-14 20:09:48 +00:00			`config/pwsauth.yml`

Initial commit 2017-03-11 14:04:42 +00:00			```yaml
update README & fix config filename 2017-03-14 20:09:48 +00:00
			`type : PwsAuth2`

			`header :`
			`auth : Pws-Authorization`
			`ident : Pws-Ident`

			`salt :`
			`common : jK5#p9Mh5.Zv}`
			`# used for generating user specific salt`
			`user.index : 10`
			`user.length : 12`

			`hash :`
			`sep : /`
			`algo : sha256`
			`# effective token length size. out of bound data is simply noise`
			`length : 52`
			`# session index (or obfuscate length)`
			`session.index : 58`
			`# ending noise data length)`
			`noise.length : 12`
Initial commit 2017-03-11 14:04:42 +00:00			```

			`### Authenticator instanciation`

			```php
			`<?php`
			`require_once(__dir__ . '/vendor/autoload.php');`

			`use Symfony\Component\Yaml\Yaml;`
			`use MetaTech\PwsAuth\Authenticator;`

			`$config = Yaml::parse(file_get_contents(__dir__ . '/config/pwsauth.yml'));`
update README & fix config filename 2017-03-14 20:09:48 +00:00			`$authenticator = new Authenticator($config);`
Initial commit 2017-03-11 14:04:42 +00:00			```

			`### Notes`

update README 2017-03-13 14:58:15 +00:00			A valid `$userkey` alone is useless
			A valid `$sessionId` alone is useless