Child pages
  • Log in your users
Skip to end of metadata
Go to start of metadata

Authenticating users

As an Apstrata developer, you automatically get a user directory along with you Apstrata application. A user of your application is defined by many fields but notably a login (username), a password and a name, which are mandatory. 

Since Apstrata is meant to be secure, all calls to its APIs should contain some means to authenticate the caller, unless explicitly permitted by you (i.e. you declare to accept anonymous calls). Hence, when a call is made towards Apstrata on behalf of one of your users, the call should either contain a signature generated from the user's credentials ("apsws.authSig" parameter) or contain an authentication token ("apsws.token") obtained from Apstrata. 

From your application, you can always verify that a given set of user credentials (signature or token) is valid by invoking the "VerifyCredentials" API.

Back to the map   Next station: log in with Facebook

Example: Let your users sign in to your application

In the cool mobile game app that you are developing, you would like to open up some additional features to users who have signed up and are thus known by your user directory. In addition, since you want your application to be as secure as possible, you would like to avoid storing your end user's credentials in the local storage of their mobile device. Therefore, you need to implement some kind of log in form on the client side of your app where your end users can enter their username and password. Then you need to verify these credentials and obtain some authentication tokens that you can sagely store on the client side.

First step: authenticate the end user and create an authentication token

 

https://varick.apstrata.com/apsdb/rest/O763A7F690/GenerateToken?apsws.time=1421067113684&apsws.responseType=json
&apsws.authSig=1933c4b633b2ad05c40c2bd7c7ad0aa8
&apsws.id=user1@mail.com
&apsws.authMode=simple
&apsdb.tokenExpires=1800
&apsdb.tokenLifetime=3600
&apsdb.bindReferrer=false
UserConnection connection = null;
try {
	
	String authKey = "O763A7F690"; // Replace with your Application key
	String baseURL = "https://varick.apstrata.com/apsdb/rest";		
	connection = new UserConnection(baseURL, authKey, "user1@mail.com", "somePassword"); // We create a user connection using the end user's password
	Client client = new Client(BASE_URL, ACCOUNT_KEY, connection);
	List<NameValuePair> parameters = new ArrayList<NameValuePair>();
	BasicNameValuePair tokenExpires = new BasicNameValuePair("apsdb.tokenExpires", "1800");
	BasicNameValuePair tokenLifetime = new BasicNameValuePair("apsdb.tokenLifetime", "3600");
	BasicNameValuePair bindReferrer = new BasicNameValuePair("apsdb.bindReferrer", "false");
	parameters.add(tokenExpires);
	parameters.add(tokenLifetime);
	parameters.add(bindReferrer);
	String response = client.callAPI("SaveUser", parameters, filesMap, AuthMode.SIMPLE);
	if (response.contains("INVALID_SIGNATURE") {
		// Display some error message about invalid credentials
	}
} catch (Exception e) {			
	e.printStackTrace();
}

In the above code sample, what we did is the following:

  • Sign a call to the GenerateToken API using the end user's login + password (this results in adding the apsws.authSig parameter to the query string). If the signature is valid i.e. the credentials used to generate it are OK, the GenerateToken API will execute.
  • Ask the GenerateToken API to return an authenticate token that is usable for authentication for 30 min (1800) and that cannot be renewed after 60 min (3600).
  • Ask the GenerateToken API not to bind the generated token to any referrer (you have to configure your application once for that to work). Open the Apstrata workbench, click on "Manage App > Configuration" then set "Allow not binding to referrer" to "true").

 

Try it!

Next: reuse the authentication token when invoking Apstrata on behalf of an end user

 

https://varick.apstrata.com/apsdb/rest/O763A7F690/RunScript?apsws.time=1421067113684&apsws.responseType=json
&apsws.id=user1@mail.com
&apsws.authMode=simple
&apsdb.authToken=FE0EE5D869167ADED4A35A27C720FE08
&apsdb.scriptName=tutorial/testToken
UserConnection connection = null;
try {
	
	String authKey = "O763A7F690"; // Replace with your Application key
	String baseURL = "https://varick.apstrata.com/apsdb/rest";		
	connection = new UserConnection(baseURL, authKey, "user1@mail.com", "somePassword"); // We create a user connection using the end user's password
	Client client = new Client(BASE_URL, ACCOUNT_KEY, connection);
	List<NameValuePair> parameters = new ArrayList<NameValuePair>();
	BasicNameValuePair userId = new BasicNameValuePair("apsws.id", "user1@mail.com");
	BasicNameValuePair authToken = new BasicNameValuePair("apsdb.authToken", "FE0EE5D869167ADED4A35A27C720FE08");
	BasicNameValuePair scriptName = new BasicNameValuePair("apsdb.scriptName", "tutorial/testToken");
	parameters.add(userId);
	parameters.add(authToken );
	parameters.add(scriptName);
	String response = client.callAPI("RunScript", parameters, filesMap, AuthMode.SIMPLE);
	if (response.contains("INVALID_TOKEN") {
		// Display some error message about invalid credentials
	}
} catch (Exception e) {			
	e.printStackTrace();
}
Try it!

Dig deeper

Related Tutorials