Skip to content

Authentication

Jump to bottom
Daniel Wagner edited this page Dec 26, 2019 · 6 revisions

Bildschirmfoto_vom_2019-12-26_16-20-36

JWT

To ensure optimal security JSON Web Token Authentication is used. These tokens are cryptographically signed and can't be modified once sent from the server. The idea behind them is that they automatically expire after a set time. This ensures security and is used for Single-Sign-On systems for example.

Backend setup

Our complete REST API is protected by JWTs. Only authenticated users can get JSON Responses with data from /api/patients for example. In Django the djangorestframework-simplejwt library is used. It ensures that all views and viewsets of the application are protected by default as can be seen by this setting in settings.py in the base app:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ]
}

Of course this setting can be overwritten in the individual views with rest_framework.permission or rest_framwork.authentication.

The urls for JWT generation, refreshing and verification are stored in urls.py of the accounts app:

urlpatterns = [
    url(r'^auth/', obtain_jwt_token),
    url(r'^refresh/', refresh_jwt_token),
    url(r'^verify/', verify_jwt_token),
]

Accessing the Patients API

First a request to /auth/ is made to obtain a token. This token then lasts 10 minutes. When /api/patients should be accessed the following HTTP Header needs to be included for the GET request to be made:

GET /api/patients/ HTTP/1.1
Host: 127.0.0.1:8000

{
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6InBhbGxpY2FyZV9hZG1pbiIsImV4cCI6MTU3NjkzOTg5NCwiZW1haWwiOiIifQ.lWuSyVjncXDF_g0Vyi4PPOn5VDXNx5JpUAKAslIZFY4"
}

Authentication following

First the web app tries to obtain a token with the entered username and password. If this is successful a session is started and the user can browse the app. Every 30 seconds the token get's refreshed under the condition that the user is active. If the user is idle he will get logged out after 3 minutes of idle time.

Expiration

This is set to 10 minutes in settings.py of the base app. If the page isn't being used for 10 minutes the signature expires and the patient data cannot be accessed anymore for security any privacy reasons. TODO: This can be changed in the settings menu of the web app.
If the page isn't being used it get's reloaded and the user is taken to the public route domain.com/login. domain.com/protected cannot be accessed then.

Clone this wiki locally