Skip to content

Authentication

Brian Becker edited this page Mar 11, 2020 · 1 revision

Jarvis Authentication

Authentication is the process by which your server verifies that a client is who they say they are. Authentication is optional in Jarvis and requires that you write a function to actually perform the authentication. Currently Jarvis supports authentication using userid and password and also HTTP basic authentication (which is another form of userid/password). Other forms of authentication, such as OAuth, could be supported in the future depending on user demand. (And since this is a GitHub project, you're always welcome to develop and contribute such an extension. 👍)

You should be running a secure server (using HTTPS) if you're performing authentication. This allows the client to safely send the its credentials in plaintext in the request without having to overlay some encryption or other obfuscation scheme.

Authentication and Session Management

If you use authentication in Jarvis, you'll also be using sessions, even if your application doesn't maintain any other state between requests. This is so that Jarvis can keep track of a user by using the HTTP header identified by SessionIdHeader. You can learn more about Session Management here.

While it's possible to perform authentication without using sessions, this would probably require that every request include the client's credentials (and you really don't want to do that).

Steps to Using Authentication
  1. Determine where your application will store user credentials. Typically this will be in a "users" table in your application database. It's good practice not to store the actual unencrypted password but to use a technique known as "salted password hashing".
  2. Write a function to perform authentication and set the AuthenticateFn field to the name of this function.
    The function will take a right argument of a request object and return a 0 (no error) if
  3. Decide how you want the client to provide credentials. At present you have two choices:
    • Using HTTP "basic" authentication either by supplying userid and password as a part of the URL as in http[s]://userid:[email protected] or providing a properly formatted authorization request header.
    • including credentials as a part the payload for your