<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">Thanks, Rick, for the clarification. I dug into the code to double
check that HTTP basic auth is not used.</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof"><br>
</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0">The API spec is here: https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/api/users-paths.yaml#L1-L33<br>
</span></div>
<br>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1">If basic auth were in use, there would
be a security section as described here: https://swagger.io/docs/specification/authentication/basic-authentication/<br>
</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1"><br>
</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1 ContentPasted2">Here is the code that
authenticates the user for the /session endpoint: https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/backend/server/restservice/users.go#L54-L68<br>
</span></div>
<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_3 _EReadonly_1"></div>
<br>
<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_2 _EReadonly_1"></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted3 ContentPasted4">
A use of the middleware to ensure the user is logged in before continuing the request: https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/backend/server/restservice/middleware.go#L269-L281<br>
</div>
<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_5 _EReadonly_1"></div>
<br>
<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_4 _EReadonly_1"></div>
<br>
<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_1 _EReadonly_1"></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
In summary, the user provides a username (treated as an email if it contains '@' or a username otherwise) and a password, which maps to their identity. The password is hashed with PostgreSQL's
<code>crypt</code> function and stored. That identity is tied to the session token, which are passed to the server in the session cookie upon any (authenticated) request and checked for equality and validity (+ expiration) in the database. Basic auth is not
checked.<br>
</div>
<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview _EReadonly_1"></div>
<br>
<div class="elementToProof">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<p style="background: transparent; margin-bottom: 0in; line-height: 100%;"><b>Eric Graham</b></p>
<p style="background: transparent; margin-bottom: 0in; line-height: 100%;"><i>DevOps Specialist<br>
</i></p>
<p style="background: transparent; margin-bottom: 0in; line-height: 100%;"><font style="font-size:8pt" size="1">Main: 605.995.1777</font></p>
<p style="background: transparent; margin-bottom: 0in; line-height: 100%;"><a href="mailto:Eric.Graham@Vantagepnt.com"><font style="font-size:8pt" size="1">Eric.Graham@Vantagepnt.com</font></a></p>
<p style="background: transparent; margin-bottom: 0in; line-height: 100%;"><br>
</p>
<div style="background: transparent; margin-bottom: 0px; line-height: 100%; margin-top: 16px;">
<img style="width:289.368px; height:63.6369px" width="289.36792452830184" height="63.63692946058091" data-outlook-trace="F:1|T:1" src="cid:1bf5a212-703c-4706-9ce6-12d3f154e5c9"><br>
</div>
<p style="background: transparent; margin-bottom: 0in; line-height: 100%;"><br>
</p>
<p style="background: transparent; margin-bottom: 0in; line-height: 100%;"><font style="font-size:9pt" size="2"><b>Mitchell | Portland | Colorado Springs | San Antonio | Sioux Falls | Springfield | Charlotte</b></font></p>
</div>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Frey, Rick E <Rick.Frey@windstream.com><br>
<b>Sent:</b> Thursday, December 15, 2022 9:22 AM<br>
<b>To:</b> Stefan G. Weichinger <lists@xunil.at>; Eric Graham <eric.graham@vantagepnt.com>; kea-users@lists.isc.org <kea-users@lists.isc.org><br>
<b>Subject:</b> Re: [Kea-users] Stork API Key</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.x_MsoHyperlink
{color:blue;
text-decoration:underline}
span.x_EmailStyle19
{font-family:"Calibri",sans-serif;
color:windowtext}
.x_MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div style="border-radius:15px; padding:3px 3px 3px 10px; font-size:9pt; font-family:Arial,sans-serif; color:#ffffff; background-color:rgb(143,16,16)">
<b>CAUTION:</b> This email originated outside the organization. Do not click any links or attachments unless you have verified the sender.
</div>
<div>
<div class="x_WordSection1">
<p class="x_MsoNormal">Questions are venturing out of scope for Kea/Stork and are more with general HTTP but will make a stab at getting you pointed in right direction.
</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">In your second call, you are attempting to use HTTP basic authentication (--user arg to curl) instead of sending the session cookie. As mentioned earlier in thread, Stork uses sessions for authentication where expiration is currently
hard coded to 24 hours. The session cookie is provided with your successful call to /api/sessions and was stored in your cookie jar file “cookie.txt” with the sample curl command you provided. In your tests using curl for second call, you just need to omit
the username arg and tell curl to use the cookie jar you specified in login post. </p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Example login (stores session cookie in cookie jar “cookie.txt”):</p>
<p class="x_MsoNormal"><br>
curl -X 'POST' 'http://10.0.0.230:8080/api/sessions' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{</p>
<p class="x_MsoNormal"> "useremail": "sgw",</p>
<p class="x_MsoNormal"> "userpassword": "yourpassword"</p>
<p class="x_MsoNormal">}' -c cookie.txt</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Example API call using previous acquired session cookie stored in cookie jar:</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">curl -X 'GET' 'http://10.0.0.230:8080/api/subnets' -H 'accept: application/json' -b cookie.txt<br>
<br>
<br>
</p>
<p class="x_MsoNormal"> </p>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt; color:black">From:
</span></b><span style="font-size:12.0pt; color:black">Kea-users <kea-users-bounces@lists.isc.org> on behalf of Stefan G. Weichinger <lists@xunil.at><br>
<b>Date: </b>Thursday, December 15, 2022 at 7:46 AM<br>
<b>To: </b>Eric Graham <eric.graham@vantagepnt.com>, kea-users@lists.isc.org <kea-users@lists.isc.org><br>
<b>Subject: </b>Re: [Kea-users] Stork API Key</span></p>
</div>
<div>
<p class="x_MsoNormal">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Am 14.12.22 um 17:22 schrieb Eric Graham:<br>
> I haven't used that platform before, so I don't know for sure, but you<br>
> might find it easier to authenticate for each query, depending on how<br>
> frequent they are.<br>
<br>
Trying to figure out these calls now.<br>
<br>
curl -k -c cookie.txt -X POST -H 'Content-Type: application/json'<br>
<a href="https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2F10.0.0.230%3A8080%2Fapi%2Fsessions&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957637806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8x8b7ul2tLF5rrRI5ZibhOuCNRJmHjgoCNk%2Bj%2BOaj5k%3D&reserved=0">https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2F10.0.0.230%3A8080%2Fapi%2Fsessions&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957637806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8x8b7ul2tLF5rrRI5ZibhOuCNRJmHjgoCNk%2Bj%2BOaj5k%3D&reserved=0</a>
-d '{"useremail": "sgw",<br>
"userpassword": "nCNKRxxxxxxxx"}'<br>
<br>
returns an OK cookie.txt that in turn also can be used for API calls.<br>
<br>
-<br>
<br>
But I fail with something like:<br>
<br>
curl -X GET -H 'Content-Type: application/json' --user<br>
"sgw:nCNKRxxxxxxxx" <a href="https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2F10.0.0.230%3A8080%2Fapi%2Fusers&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957637806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7TzgD5V2k3CR1iNoomF0b4l33dMNllCT3LxG8qInW%2FQ%3D&reserved=0">
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2F10.0.0.230%3A8080%2Fapi%2Fusers&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957637806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7TzgD5V2k3CR1iNoomF0b4l33dMNllCT3LxG8qInW%2FQ%3D&reserved=0</a><br>
<br>
Shouldn't that work also? Maybe I have a stupid mistake, thanks.<br>
<br>
-<br>
<br>
I tried with two user/pw-combos to rule out stuff like special chars in<br>
the password.<br>
<br>
--<br>
ISC funds the development of this software with paid support subscriptions. Contact us at
<a href="https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957950303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BtMFEJS9SUyz6fTC%2FlOEM7KaiPItnWeGHcVXXUk7ua4%3D&reserved=0">
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957950303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BtMFEJS9SUyz6fTC%2FlOEM7KaiPItnWeGHcVXXUk7ua4%3D&reserved=0</a>
for more information.<br>
<br>
To unsubscribe visit <a href="https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fkea-users&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957950303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ElhUq7LmCOV9Wva5InpMPjZ5rI64IvpgtWNKtEeFvg0%3D&reserved=0">
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fkea-users&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957950303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ElhUq7LmCOV9Wva5InpMPjZ5rI64IvpgtWNKtEeFvg0%3D&reserved=0</a>.<br>
<br>
Kea-users mailing list<br>
Kea-users@lists.isc.org<br>
<a href="https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fkea-users&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957950303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ElhUq7LmCOV9Wva5InpMPjZ5rI64IvpgtWNKtEeFvg0%3D&reserved=0">https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fkea-users&data=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957950303%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ElhUq7LmCOV9Wva5InpMPjZ5rI64IvpgtWNKtEeFvg0%3D&reserved=0</a></p>
</div>
</div>
<br>
<p align="Left" style="font-family:Calibri; font-size:8pt; color:#000000; margin:15pt">
Sensitivity: Internal<br>
</p>
</div>
</div>
</body>
</html>