GSD REST API Login
There are three options to log in to the database, each of them is characterized by a different level of security due to the various authentication process in performing requests. A more detailed description of them is below.
/v1/login
After successfully logging in to the database, we get a "sessionId", which must be declared in request header as "sessionId" when performing subsequent requests to carry out successful authentication process.
Example
POST request
1 2 3 4 5 6 7 8 | POST http://localhost:8080/v1/login POST data: {"user": "test","pass": "098f6bcd4621d373cade4e832627b4f6","appNames":["test1","test2"]} Request Headers: appkey: 123 Content-Type: application/json |
Response
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | { "status": { "internalStatus": "0", "statusMessage": "ok" }, "data": { "sessionId": "c75e48cd-4f9e-4fe6-bbaf-61725d019a0d", "user": { "~ClassName": "User", "~ObjectID": "2S49", "~StoreTime": "20180905T114022+02:00", "Name": "GSDWebService", "Description": "Benutzer für Web-Service", "Groups": { "~Count": 1, "~UnfilteredCount": 1, "~Elements": [ { "~ClassName": "UserGroup", "~ObjectID": "2S1Y", "~StoreTime": "20180711T160940+02:00", "Name": "Jeder", "Description": "Rechte für jeden Benutzer" } ] }, "Employee": { "~ClassName": "Mitarbeiter", "~ObjectID": "6NB9", "~StoreTime": "20180718T080522+02:00", "Name1": "webservice", "Name2": "", "Name3": "", "Bild": { "~ClassName": "Bild", "~ObjectID": "8ZWX", "~StoreTime": "20180516T074606+02:00" }, "Mitarbeiteransprechpartner": { "~ClassName": "Ansprechpartner", "~ObjectID": "CQKN", "~StoreTime": "20180718T080526+02:00", "Name1": "webservice", "Name2": "", "Name3": "", "Bild": { "~ClassName": "Bild", "~ObjectID": "8ZWX", "~StoreTime": "20180516T074606+02:00" } } } }, "databaseName": "testDatabase" } } |
/v2/login
After successfully logging in to the database, we get a "token" (JWT), which must be declared in request header as "Authorization" when performing subsequent requests to carry out successful authentication process. More info about JWT.
Example
POST request
1 2 3 4 5 6 7 8 | POST http://localhost:8080/v2/login POST data: {"user": "test","pass": "098f6bcd4621d373cade4e832627b4f6","appNames":["test"]} Request Headers: appkey: 123 Content-Type: application/json |
Response
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | { "status": { "internalStatus": "0", "statusMessage": "ok" }, "data": { "user": { "~ClassName": "User", "~ObjectID": "2S49", "~StoreTime": "20180905T114022+02:00", "Name": "GSDWebService", "Description": "Benutzer für Web-Service", "Groups": { "~Count": 1, "~UnfilteredCount": 1, "~Elements": [ { "~ClassName": "UserGroup", "~ObjectID": "2S1Y", "~StoreTime": "20180711T160940+02:00", "Name": "Jeder", "Description": "Rechte für jeden Benutzer" } ] }, "Employee": { "~ClassName": "Mitarbeiter", "~ObjectID": "6NB9", "~StoreTime": "20180718T080522+02:00", "Name1": "webservice", "Name2": "", "Name3": "", "Bild": { "~ClassName": "Bild", "~ObjectID": "8ZWX", "~StoreTime": "20180516T074606+02:00" }, "Mitarbeiteransprechpartner": { "~ClassName": "Ansprechpartner", "~ObjectID": "CQKN", "~StoreTime": "20180718T080526+02:00", "Name1": "webservice", "Name2": "", "Name3": "", "Bild": { "~ClassName": "Bild", "~ObjectID": "8ZWX", "~StoreTime": "20180516T074606+02:00" } } } }, "token": "eyJhbGciOiJIUzI1NiIsImtpZCI6ImdCZGFTLVZGZFMzNDIzM2RhUCJ9.eyJzZXNzaW9uSWQiOiJlMWYyN2VmZS04OTM3LTQ0YzUtOTBmMC0xN2E0MmI5NzE4ZTIifQ.2vAN8m00YF5jZa7Psd2S-jl66TvO3NAsRNIndyje3-4", "databaseName": "testDatabase" } } |
/v2/login/secure/key
This request returns server's public key needed for /v2/login/secure.
REMEMBER - use _HTTPS_ to fetch public key. Otherwise we can not guarantee that you get valid data.
Secure login sequence diagram
Examples
GET request
1 2 3 4 5 | GET http://localhost:8080/v2/login/secure/key Request Headers: appkey: 123 Content-Type: application/json |
Response
1 2 3 4 5 6 7 8 9 | { "status": { "internalStatus": "0", "statusMessage": "ok" }, "data": { "key": "-----BEGIN PUBLIC KEY-----\r\nHr78gy7sd08bgdw0gf8w0j2g0f2g2wgfweg80ewgbuwegbewbgeggbewrewgaefJ\r\neworfjewvg8w976g89erb6g7sew7r09wg9q83ht4ggsdf78g7s9g87fsbh89sh7f\r\nfgsdgdsg67f67sd69fsg67g6re90bs9h6sj906gsgh0ag7ag67ag6ag6a90g690a\r\fregd8es9g85gb9gfase685rgf89aewrfds8fd6agh7fs6gfd9sg69fsg9gs6fg9s\r\nfdsagfdz78g5a89hf59hnjfa5hgd8a5f8fa0ajhsgdasgh5fdhfatawefaewewfC\r\nfsgfsgDSGFygoGIsdfuhf789sg690agfGY0Dgy90DGY7vgfdyvd07fewnvuwi77w\r\nFDSREWWF\r\n-----END PUBLIC KEY-----\r\n" } } |
/v2/login/secure
This case is different from the previous login options. First, it is necessary to get the public key - "key" using the /v2/login/secure/key request. Having the key it is possible to log in to the database. After successfully logging in to the database, we get a "sessionId" (securely encrypted by server-side), which must be declared in request header as "Secure-Token" when performing subsequent requests to carry out successful authentication process.
/v2/login/secure uses RSA Encryption for request and response.
However RSA message has a maximum length of 1/8 of the key [eg. 2048 key may contain only 256 bytes of message].
To overcome this limitation, we are using common technique of connecting multiple RSA messages into one string and then encoding it with base64.
This means that if your message has 600 bytes it will be 256 + 256 + 256 in length. [The last one contains a RSA padding of 168 bytes].
Tip
You can verify if the response/request string is correct when the length of bytes is a multiplication of maximum message length [eg. 256/512/768/1024 bytes (for 2048 byte key)].
We currently use 2048 bit keys for REST API, however this may change in a future to meet modern standards of encryption.
You can also generate your own key and place them where the encryption config points.
Examples
POST request
Logging in via secure path requires to provide two json keys:
1. credentials:
which must contain following json:
1 2 3 4 5 | { "appNames": [], "user": "", "pass": "" } |
This json must be RSA encrypted using server's public key you get from /v2/login/secure/key and then encoded in base64.
2. publicKey: - your public key encoded in base64.
Having those data encoded correctly you should end up having similar data:
1 2 3 4 5 6 7 8 9 10 11 | POST http://localhost:8080/v2/login/secure POST data: { "credentials": "B7p04IFqCSz2W/zTTwmpFmr17wSKi3/C9nuHBK4vyW4xRBWXTwatWH+T9PhCWYfc7pNed38/bs8g4xXPlmxP17J8pMpqee2ryOjjnnl3702HuS+O1w8p6dsrQotppbuB1XKjscdVWwqmfjgxYbeReQtHOG+gVHSwpi1BXh+uBk+stkxORqtzVzvfUnmB7mLMyXg/fJzmUrj5iTYe7QtM0UD0FhbXfV3yjc3Q0DbZtiAPRtA6Z+83RwApkiuCwGUPdvVXkHC1IxicaE/i60Oaw+nge15sAOcdAou7TxpKVLFq/RJwfJosyHtWsAq0DODDHgaLMeXhAWO9s4twTLJgVw==", "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE0bTBjckVMTFd3c1VxWkVRUnh6QQp3MDcxd3NONFVxTTFmbEx5dzhUVlliWURVNW1MVVhLdmpUUDRRY3JoS255TjZ1R3k2QThiNEw0ZzBvT1NVT2FNClhLYVU4Tnh0ZkNrbHM2R21ML3k3RWJQMTltQVJEMUE2d3d3UGs0bTE1Z1MvRTd2a3dUbDJOZ252ayt0amloUnUKb0pPOUFNK3lvNjg0YkgzMXRVeG9rNU92MU9GMmJaUzJUbEpkaDV4NnN0ZHNweGdpN0Q0NHFqakpuOW9UYS9jaAp6MmJFN1czS1IzcE1TSlc5Syt3UzA0L3IyYkI4RHBTU2I3VWpYVWZUdVY2M2xBNnIzbktMM2QxeEwvQkc1clhUClNoTkNTeGsybmR2OWFVREhRN29EM0o2ZnNycExaOFpFRU9MRjNYaW94TDFoQU5SY3Y3dk9xQm1oNTNIdjkvWWEKdXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" } Request Headers: appkey: 123 Content-Type: application/json |
If there were an encryption errors (wrong key/wrong data encoding), response will not encrypted so you can easily fix it.
Once you provide properly encoded/encrypted data, all of the further requests you receive will contain only an encrypted payload.
Encrypted response
1 | jbt334DJ60ACttg1JZtyviEPs3mFQmFzioIC15qDKj+Yo+P9ynEMFWm41pnnEhtm1oXZodVP7lEpjM4vsy1DMK7tYw+RFc+KIVkEgI1Tdww0NISlGqM3UfaeL6OfDomTZkQ+Artc1an81HBEbiQsRtlAXTnQDb8ZZBkOklcLXzTiIgwfoKTWU/S5tNhbGk9uSLc2UBXeQTvPiv1LqF4C8h9r4CBlVe8WhLjCXlXLBc8JEwsGbJNMmzwlgM7vf0XHy4mBS3PiWKzHwKV1IaIWcB63O9EGR6Cj5xHSD5FQGrKrfplPQE2g7PJnvlmmd35reLDBGG0NuqlAXVAWYosT3ChkwykslINZ+tH5U3FtTJV46A8E7X1ui6hDF4OSuM/9ltwgSpb/HIUweqFy/8wmTjxyRzOJb+HfTuOkispk1B8uaML3CRBqYc+HF0fJ33C+OXhtZWLV/eDoQQsX+cup52B/Ly+n6r57jDjWCF3rgpH7AIGFKlXahg0JJ8gpSKqehg2A000363y/3orm9A3ZovESSc+ZhMmMDHoAMgTRriOW+F0NdEy2WsThz689qM3YHoyWGeC4KWaYQOCOF8X9e0K22pLVrtZKOiMz9vxW4oL/Jzl4snuc+o08tlthnsCMLAfHTy89g5nmwU1e5wuDkvLYr0oAQ6m7KA24vNocteUfGwo4McshSrXmxRDoT/SjcdJneKylF0aSgLYdEoETsGezQH3u0Jw1qHGOaehit/HrSv7/mOgzHgy8fbPXV1P3wyJ35jMwPw5epuJmTkeTaVBukb5YZ4o4wy1tp8SPVX4FuebAiQVorvigXt5P/AOih20t5xxidVyy7hfc6BxStNuXaQlJyNTA38mePNs1K4KYmo7qdss11T5OGBZ5EWcANBRYdHuKibcyVz6nXfum/qtlHvTrS/nYpbeEe04MTX2v6Dc3+flS0NxFu31y1xt2yXXMS2WKGnTnU835c73WOYrX8CxmwRZN3uUYftKEBzMqiQszBvj1QvnBwl60mCdYzi4tIqdq+ZsHfCTKAo21XXP/kdMWBbVYpQFPkVey9Aau0CUzgqWRQWfovZZlCPTBIMvRMoEraFntmJHmUCLY6d2ERwKgWx3KX9fsnVUHwUnTc00+tYXG0c/6bwO+epGscTC9FWmVSSaiKhv604gim/jhFUrMfA8gt1cD2baDqILHV4yJkfU1eQ3cvHsKKJ7woIz6lGeg68Q2zbVcmGtSXiXUb3CfQexJbmp6Q/ZtIiuM0/mQcZ+uSJfI2zmrWiTYhafkJ3DGSw32KtVlYhw1oGUHmwrzMZtVzT5vXMlqbznb2r1lHnMCza/ZXUjl411bUwaokPMHbbXf5Pj7KKFzXSSVGMP/6VL1MLkwhKTqvzd450kbBTWTBLKzuAE38AbrxlwOHm6QxMiPJrtKhZxvIoO06skT350ddoJix09LyLBYYt0uos+JMwuFksQqZCoaJ+clUccqAenfVgPdLx7pqzQy8AF73w4rfld98HqNZ23fy5j5Ln5uf+BKDhzoauWOUs+V/Bf5xj/W+WSrMs/bFUOz5jz1cLds1GBI3j0a4Tb3UU14MNrQ+ou9GG1dNdHqymg6FcpJJT0bZU3WFwv2hKInG0Cm6HnX+03i4XzkT/3/ah4Bmzpd7ghLaHguiLdw3/cgRGIdMNL4LOBqufMGNsZf6YQCxsmwv5ihF3rBm9FGnZYYJDncGwfpUCO60TU3wAicPkdi/IAoXaaglKbb4wEx82AmUVNDgfC/pPyut1AtR3F1F98idF78BSOZTvxfi+jaidrqN52rxpFtAuzNARV91J/a3sEc4E6iMc3bJnbV/E8TASaPKc0kGJAf87pZFv72EIWqbymc/l86DA5DN2F2DOtUGjSCmvWXZqdIDV0QK+btfteQvC+Z27x2Zf11suTrbmg/EHQprUKjcyjzsYSsdAMOEkkoLE0C+ZeQq6I8fQsbGwcG0OMb8dwQZsWzmPoTuYYe7X4d/IJaRgWunGOGSXbwtueHBgNkYxkGVTclGJSuJo0g2TqwAx6ue5GcdwWIMesRjyeoU4tG08Gwe1Jn+aGIfCG8Tufsl1BhqWx2g2KnU3kMJRihlbyJgpd0K1LQEmo+2jSEGpndLMPK+JB2g1JOlZ/ygmEp6UThEK1uRhlctSBAbuKxeKVJ5vrOKdCqLqJDUSMQA9QvQBdR3P9Dz9vD5nFrCjTdUuTDklEpwBXxGMksVFtWjTAST9ErFc0A/RIGiX3cQtKBgxwJCev1e32mgyxhL/DCjlquhYB7W3PGbhQeYWojZiqtCC1I95mbJc4CubqBom9VRbP6sJrJOQ0yPxwIa1Oa4/Ifdy/TMW8l2v0+EcMEMyKta/5U4lZe+9YtR/+Em1BDWSU7UQ==
|
You must base64 decode then decrypt it using your private key. It will contain login data:
Decrypted response
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | { "status": { "internalStatus": "0", "statusMessage": "ok" }, "data": { "sessionId": "ZVrH2ogDA1eU4UMHqB6eux8hKmd1ycnpKQYW1oIVTcbNpLMBwFHWggCbsKiTRphYPxgupJeC1Yksi7OFHclDnmlokLVorr4dTtqT0V4frN+H8BWGDvo3XWQQfxnVTJuMWTp9Yq69IS8xrjBOZ+LmrTNYqWtcSsqdke4LCFJYab9P9vKSvL29tjUnrPOJrobIWK3O/3n13XNxdxBCvDN6n1Y5tDt7u/E6zgbYbuc3OkY5jyRtgdKHKugAkWgaT3uRllSIhpsD3pH5W2cUHeNfqR0xL0FwItUOT7eWYTbkxU5lKSr7oorKUm4nb5TS/pfBeyUZwuKd4kVBXTdVcqDhaQ==", "user": { "~ClassName": "User", "~ObjectID": "2S49", "~StoreTime": "20180905T114022+02:00", "Name": "GSDWebService", "Description": "Benutzer für Web-Service", "Groups": { "~Count": 1, "~UnfilteredCount": 1, "~Elements": [ { "~ClassName": "UserGroup", "~ObjectID": "2S1Y", "~StoreTime": "20180711T160940+02:00", "Name": "Jeder", "Description": "Rechte für jeden Benutzer" } ] }, "Employee": { "~ClassName": "Mitarbeiter", "~ObjectID": "6NB9", "~StoreTime": "20180718T080522+02:00", "Name1": "webservice", "Name2": "", "Name3": "", "Bild": { "~ClassName": "Bild", "~ObjectID": "8ZWX", "~StoreTime": "20180516T074606+02:00" }, "Mitarbeiteransprechpartner": { "~ClassName": "Ansprechpartner", "~ObjectID": "CQKN", "~StoreTime": "20180718T080526+02:00", "Name1": "webservice", "Name2": "", "Name3": "", "Bild": { "~ClassName": "Bild", "~ObjectID": "8ZWX", "~StoreTime": "20180516T074606+02:00" } } } }, "symmetricKey": "N8O8w5bCs8KRF8OKw7rCs8K8EcOWSk5XwoDCh8KHVcOrw7nColPCuQjDpcKiw5powp/CosKX", "databaseName": "testDatabase" } } |
Valid login request will contain two important json keys:
$.data.sessionId - your secure sessionId that you must provide as Secure-Token Header for each further request you wish to call.
$.data.symmetricKey - an unique AES-CTR key bound to your session you must use to encrypt request data.
Important information:
- Do not share symmetricKey with anyone. Store it for current session, each login provides new secure key and session.
- Remember to use
Content-Type: application/textfor encrypted data. - All encrypted payload (except for binary downloading/uploading) must be encoded in base64 to ensure consistent data flow.
- Only login request/response are encrypted via RSA keys, each next request/response must be encrypted with AES-CTR encryption using
symmetricKey - AES-CTR IV Counter is incremented by one.
- All encrypted responses will contain
Encryptedheader.