libSmalldb
v0.3
|
Authentication is a mechanism to securely identify a user, so a server knows who is on the other end of the HTTP connection. Authentication does not tell what the user is allowed to do – that is matter of authorization.
Authentication on the modern web can be reduced to following three mechanisms:
Traditional user session is typicaly implemented using the shared token. For REST services it is usually better to use the signed token, because it is state-less (all authentication data are stored in the signed token).
The basic auth is usually used only to obtain a shared token, or to obtain a signed token using SSO service and then pass the obtained signed token to the web application to obtain the shared token or invoke some REST API. The signed token allows truly state-less REST services, since the application only validates signature and does not need maintain any session data between HTTP requests (session data are stored in the signed token).
In traditional web application built on Smalldb we need two state machines: One to represent a user and second to represent the shared token. User state machine is used simply to verify user's password. The shared token machine is the interesting one...
Auth::CookieAuth
and Auth::SharedTokenMachine
classes implement a shared token authentication. The part of the token is stored in an authentication cookie and other part in database (using a session state machine).
CookieAuth
class handles the cookies. SharedTokenMachine
class maintains the session. There should be little to no need to modify CookieAuth
class, but SharedTokenMachine
is designed to be modified for specific needs of your application.
(...)