Authentication¶
Authentication with the Soledad server is made using Twisted’s Pluggable Authentication system. The validation of credentials is performed by verifying a token provided by the client.
There are currently two distinct authenticated entry points:
- A public TLS encrypted Users API, providing the Synchronization and
Blobs services, verified against the Leap Platform
tokens
database. - A local plaintext Services API, currently providing only the delivery part of the Incoming service, authenticated against tokens defined in a file specified on the server configuration file (see the Services API tokens file section).
Authorization header¶
The client has to provide a token encoded in an HTTP auth header, as in:
Authorization: Token <base64-encoded uuid:token>
If no token is provided, the request is considered an “anonymous” request. Anonymous requests can only access GET /, which returns information about the server (as the version of the server and runtime configuration options).
Services API tokens file¶
Credentials for services accessible through the local Services API entrypoint
can be added into a file, one in each line with the format
servicename:token
, like this:
incoming:Zm9yYSB0ZW1lciEK
By default, Soledad Server will look for the tokens file in
/etc/soledad/services.tokens
but that is configurable (see
Configuring for more information).
Currently, the only special credential provided is for the Incoming service.
Implementation¶
Soledad Server package includes a systemd service file that spawns a twistd
daemon that loads a .tac file.
When the server is started, two services are spawned:
- A local entrypoint for services (serving on localhost only).
- A public entrypoint for users (serving on public IP).
- Localhost and public IP ports are configurable. Default is 2424 for public IP and 2525 for localhost.
.------------------------------------------------------.
| soledad-server |
| (twisted.application.service.Application) |
'------------------------------------------------------'
| |
.--------------. .----------------.
| 0.0.0.0:2424 | | 127.0.0.1:2525 |
| (TLS) | | (TCP) |
'--------------' '----------------'
| |
.----------------. .----------------------.
| Auth for users | | Auth for services |
| (UsersRealm) | | (LocalServicesRealm) |
'----------------' '----------------------'
| |
.------------------. .-------------------------.
| Users API | | Services API |
| (PublicResource) | | (LocalResource) |
'------------------' '-------------------------'
| .-------. .-----------------. |
'->| /sync | | /incoming |<-'
| '-------' | (delivery only) |
| .--------. '-----------------'
'->| /blobs |
'--------