![]() The pair of characters \n represents the newline character. User email: User password: giggity (will be hashed to 1869bfcf575c810780534a7f5e4f6c225b4ca3bd).The following credentials will be assumed throughout the examples: This sub-section provides a couple of examples of requests and their respective generated signature. While contentType may be an empty string (for requests that bear no body), date is mandatory and must have a value.Įven when contentType is empty, its trailing line break MUST be included. The parameter requestLine is simply the concatenation of the method, URI and HTTP version (with spaces):ĬontentType and date parameters are the Content-Type and Date headers included in the request. The stringToSign parameter is a concatenation of some of the contents of the request. Signature = HMAC_SHA1 (ApplicationPrivateKey:MD5 (UserPassword ), stringToSign )Īuthorization: droplr BASE64 (ApplicationPublicKey:UserEmail ):signature # Example stringToSign parameter with no contentType We strongly recommend you to always store the hash of the password as your users enter their credentials, discarding the clear password as soon as possible. The hashing function for the password is SHA-1. HMAC_SHA1(ApplicationPrivateKey:UserPasswordSHA1, stringToSign)ĪpplicationPrivateKey and UserPasswordSHA1 are your application’s assigned secret key and the user’s (hashed) password. The formula to compute the signature parameter is: ![]() Where ApplicationPublicKey and UserEmail are your application’s assigned public key and the user’s email. Starting from the end, an example of how an Authorization header should look is:Īuthorization: droplr YXBwXzBfcHVibGlja2V5OnVzZXJfMUBkcm9wbHIuY29t:3 MqSMFYYwh6grneUezBtRkunmE=Īuthorization: droplr BASE64(ApplicationPublicKey:UserEmail):signature Authentication Formula # Example Authorization headerĪuthorization: droplr YXBwXzBfcHVibGlja2V5OnVzZXJfMUBkcm9wbHIuY29t:3 MqSMFYYwh6grneUezBtRkunmE = ![]() When set, this header will take precedence over the Date header.ĭroplr API server provides many operations the ability to execute them depends on the privileges configured for the public/private API key pair assigned to an application.Īs an example, a typical third party application will be able to list drops, perform uploads, delete drops and alter user information but it won’t be able to create new accounts. If the framework you’re using doesn’t allow you to manually set the Date header, you can use the custom x-droplr-date header. Furthermore, the server keeps used signatures in a local cache – during the time window in which they are valid – in order to avoid replay attacks. If this condition fails, the requests may be discarded. This value must fall within 15 minutes (ahead or behind) the server’s clock. Protection Against Replay AttacksĪll requests must include a Date header, with the time in Unix (POSIX) format – the milliseconds elapsed since midnight January 1st, 1970, UTC. In order for you to access the API you must have a public/private key combination to access Droplr’s API server.Īuthentication works on a per-request basis, which means that every single request must be pre-signed according to its contents.ĭroplr API server uses a custom authentication method along with some other mechanisms to ensure a safe non-reversible authentication method which is also immunte to replay attacks. Public Operations Authentication
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |