lets-chat icon indicating copy to clipboard operation
lets-chat copied to clipboard
verified publisher icon sdelements

API to generate auth token

Open rawlingsj opened this issue 10 years ago • 11 comments

Looking at the docs[1] it seems the only way to generate an auth token is via the UI, it would be great if we could do this via the api too.

[1] https://github.com/sdelements/lets-chat/wiki/API%3A-Authentication

rawlingsj avatar Apr 28 '15 19:04 rawlingsj

At the present time our hands are tied. With what auth token would you use to generate an auth token? We have no permissions in the app so its not like an admin user could do it. Maybe when we have admin roles, etc. we could do this?

geoffwhittington avatar Apr 28 '15 19:04 geoffwhittington

Yeah I see your point. I'm trying to automatically setup the integration for Lets Chat, Taiga, Gogs and Hubot. I'm just trying to figure out the options at the moment but taiga offered a way to generate an auth code after logging in with a username/password http://taigaio.github.io/taiga-doc/dist/api.html.

It may not be the best way and maybe I need to understand more about oauth options. I was hoping to hook them all up to the github oauth to authenticate for starters. I dont know enough so I will do some more reading but does that sound like a better route to start investigating? Could it be possible to use oauth and that give me a bearer token for a system user that would be shared between multiple projects like taiga and hubot?

rawlingsj avatar Apr 28 '15 19:04 rawlingsj

One possibility for us is to expose a single token-generating endpoint that accepts username/password? Not sure, I'm sure the security people here have an opinion on best practices, etc.

geoffwhittington avatar Apr 28 '15 19:04 geoffwhittington

And I think that would be great however as you say there's probably wider concerns but if a way could be figured out it would be awesome.

rawlingsj avatar Apr 28 '15 19:04 rawlingsj

I should read our own documentation :) We do have Basic Auth support but it uses the token. I guess what we could do is change the meaning of Basic Auth for one end-point. But that's just seems weird

geoffwhittington avatar Apr 28 '15 19:04 geoffwhittington

We're heading towards a multi-token setup, an endpoint for token management is definitely something we should consider doing.

hhaidar avatar Apr 29 '15 02:04 hhaidar

Ok cool, that sounds great.

rawlingsj avatar Apr 29 '15 07:04 rawlingsj

Maybe if there was just a way to generate a token from the outside and pass it into letschat when it starts up; then folks could use the REST API if they knew the 'admin token'?

At least then:

  • this admin token is optional (e.g. defined via an environment variable - folks can ignore it if they wish
  • we don't need to secure a 'token generating endpoint'

jstrachan avatar Jun 16 '15 14:06 jstrachan

in many ways this issue (which i've submitted a PR for) https://github.com/sdelements/lets-chat/issues/509 is a good enough fix for this issue really; it lets us spin up a hubot user on startup so that hubot can talk to letschat

jstrachan avatar Jun 19 '15 09:06 jstrachan

+1 for this. Looking forward for API endpoint for generating token (e.g. via posting username & password and sending token as a response - that would be great! )

mrmnmly avatar May 23 '16 11:05 mrmnmly

I have added an endpoint to generate token. It accepts username and password(in body) for authentication. It scraps old token and returns a new one. I would like to create a pull request if this feature is wanted. see this commit

Pawan-Bishnoi avatar Jul 24 '17 17:07 Pawan-Bishnoi