Skip to main content

Extension to allow paswordless login to the CKAN API

Project description

CKAN Passwordless API

Extension to allow paswordless login to the CKAN API.

Documentation: https://envidat.gitlab-pages.wsl.ch/ckanext-passwordless_api/

Source Code: https://gitlabext.wsl.ch/EnviDat/ckanext-passwordless_api


This plugin is primarily intended for custom frontends built on the CKAN API.

By using API tokens from CKAN core (>2.9), this plugin provides an authentication flow where:

  1. Users receive a login token via email (via reset key in core).
  2. API token is returned on valid login token (reset key) submission.
  3. The API token should then be included in Authorization headers from the frontend --> CKAN calls.

Based on work by @espona (Lucia Espona Pernas) for ckanext-passwordless (https://github.com/EnviDat/ckanext-passwordless).

A second login flow is also supported, using Azure AD:

  1. User logs in with authorization code flow in frontend (@azure/msal-browser or similar).
  2. Azure token is passed to azure specific endpoint.
  3. Token is validated and API token for CKAN is returned.
  4. The API token should then be included in Authorization headers from the frontend --> CKAN calls.

Install

pip install ckanext-passwordless-api

Config

Optional variables can be set in your ckan.ini:

  • passwordless_api.guidelines_url
    • Description: A link to your website guidelines.
    • Default: None, not included.
  • passwordless_api.policies_url
    • Description: A link to your website policies.
    • Default: None, not included.
  • passwordless_api.welcome_template
    • Description: Path to welcome template to render as html email.
    • Default: uses default template.
  • passwordless_api.reset_key_template
    • Description: Path to reset key template to render as html email
    • Default: uses default template.
  • passwordless_api.cookie_name
    • Description: Set to place the API token in a cookie, with given name. The cookie will default to secure, httpOnly, samesite: Lax.
    • Default: None, no cookie used.
  • passwordless_api.cookie_domain
    • Description: The domain for samesite to respect, required if cookie set.
    • Default: None.
  • passwordless_api.cookie_samesite
    • Description: To change the cookie samesite value to Strict. Only enable this if you know what you are doing.
    • Default: None, samesite value is set to Lax.
  • passwordless_api.cookie_http_only
    • Description: Use a httpOnly cookie, recommended.
    • Default: true.
  • passwordless_api.cookie_path
    • Description: Set a specific path to use the cookie, e.g. /api.
    • Default: / (all paths).

Endpoints

POST

  • <CKAN_HOST>/api/3/action/passwordless_request_reset_key
    • Description: Request a login token for a given email.
    • Creates user if they do not exist & sends welcome email.
    • Param1: email (str).
  • <CKAN_HOST>/api/3/action/passwordless_request_api_token
    • Description: Request an API token, given the email and login token (reset_key).
    • Param1: email (str).
    • Param2: key (str).
  • <CKAN_HOST>/api/3/action/passwordless_request_api_token_azure_ad
    • Description: Request an API token, given the email and Azure AD token.
    • Param1: email (str).
    • Param2: token (str).
  • <CKAN_HOST>/api/3/action/passwordless_revoke_api_token
    • Description: Revoke an API token.
    • Param1: token (str).

GET

  • <CKAN_HOST>/api/3/action/passwordless_revoke_api_token
    • Description: If logged in, revoke the current API token.
  • <CKAN_HOST>/api/3/action/passwordless_get_user
    • Description: Get user details, given their API token. Also resets and returns a new API token (i.e. renewal). Fails silently if the user is not logged in.

Using the cookie in an Authorization header

If configured, the cookie containing an API token can't do much on it's own.

It is possible to extract the cookie value using frontend JS and pass to the CKAN backend, but this makes your site vulnerable to XSS attacks.

Instead the cookie should be stored in a secure way:

  • samesite=Lax with domain=YOUR_DOMAIN to help prevent CSRF.
    • samesite=Strict is even more secure, but significantly impacts UX for your site.
  • secure to help prevent man-in-the-middle.
  • httpOnly to help prevent XSS.
    • Setting this means the cookie can no longer be accessed from your JS code.

Then a middleware must be used to convert the cookie value into a header than CKAN can interpret:

NGINX server example (nginx is the default/recommended server to reverse proxy CKAN) (https://docs.ckan.org/en/latest/maintaining/installing/deployment.html)

# Add the cookie-based API token to the request Authorization header
# This is passed to the CKAN backend & read automatically by CKAN
proxy_set_header 'Authorization' $cookie_${AUTH_COOKIE_NAME};

# If using caching omit the cookie
proxy_cache_bypass $cookie_${AUTH_COOKIE_NAME};
proxy_no_cache $cookie_${AUTH_COOKIE_NAME};

Apache server example

SetEnvIf Cookie "(^|;\ *)${AUTH_COOKIE_NAME}=([^;\ ]+)" ckan_cookie_value=$2
RequestHeader set Authorization "%{ckan_cookie_value}e"

Notes

  • It is also recommended to disable access to the API via cookie, to help prevent CSRF: ckan.auth.disable_cookie_auth_in_api = true
  • The configuration for API tokens can be configured in core:
api_token.nbytes = 60
api_token.jwt.decode.secret = string:YOUR_SUPER_SECRET_STRING
api_token.jwt.algorithm = HS256

# expire_api_token plugin (unit = 1 day in seconds, lifetime = 3 days)
expire_api_token.default_lifetime = 3
expire_api_token.default_unit = 86400

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ckanext-passwordless-api-1.0.1.tar.gz (14.8 kB view details)

Uploaded Source

Built Distribution

ckanext_passwordless_api-1.0.1-py3-none-any.whl (14.5 kB view details)

Uploaded Python 3

File details

Details for the file ckanext-passwordless-api-1.0.1.tar.gz.

File metadata

File hashes

Hashes for ckanext-passwordless-api-1.0.1.tar.gz
Algorithm Hash digest
SHA256 7ec212ae815ffbbc1d0660e827b9222ec226fb429f9620322954eb5dc25b8a5e
MD5 01d66726d9d6c35bc6fab0a6345392a2
BLAKE2b-256 cfd1f2ca4b22673a2b6aee469b353f223b1c4ad9be8b6fdf31c75c3ecbc0334b

See more details on using hashes here.

File details

Details for the file ckanext_passwordless_api-1.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for ckanext_passwordless_api-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 853da2b01f58f36b031d53c4f3bf230ad3e7a614d0960ac3385aaf5271f36e4a
MD5 424e5d6330a2394ae48580d798acb6b8
BLAKE2b-256 ccc298f3b3a57f89b13e6f89920d07d591a81df3cf1a67a774a1c2b6a2e6ec7f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page