diff options
| author | bahbka <bahbka@gmail.com> | 2014-07-09 10:23:55 +0400 |
|---|---|---|
| committer | bahbka <bahbka@gmail.com> | 2014-07-09 10:23:55 +0400 |
| commit | c2d2725f0da8ba42b33935de4d7a4cb09851fc8d (patch) | |
| tree | a6c3fcf70c93ea487f080c5ef9e8afb2551c3125 | |
| parent | 44710854ca2d6d1fb40786f53ee11599ab770582 (diff) | |
Fixed README.md auth section.
| -rw-r--r-- | README.md | 12 |
1 files changed, 6 insertions, 6 deletions
@@ -140,12 +140,12 @@ Salt for Pebble-Auth hash (see below) ## Auth Authentication algorithm example (reinvent the wheel): -1. -> Pebble makes HTTP request with Pebble-Token header (Pebble App Token by default, unique to device/app pair, can be changed at configuration page, clear to restore default) -2. <- Server answers with JSON like { ..., "content": "logging in...", "refresh": 5, "auth": "randomsalt", ... } -3. Pebble calculates MD5(MD5(password)+"randomsalt"), saves it as auth token and uses as Pebble-Auth HTTP request header in future requests. -4. -> Pebble makes HTTP request after 5 seconds with Pebble-Token header and with Pebble-Auth header (calculated and stored in previous step) -5. Server checks Pebble-Token and Pebble-Auth headers if data equal data in database (Pebble-Token <=> login, calculate MD5(password_md5_db+"randomsalt")) -6. <- Server answers with private content (seems your need https for more security), or some error if auth failed; auth field in JSON not needed anymore, until you desire to regenerate auth token with new salt (paranoid mode) or to clear Pebble-Auth header + 1. -> Pebble makes HTTP request with Pebble-Token header (Pebble App Token by default, unique to device/app pair, can be changed at configuration page, clear to restore default) + 2. <- Server answers with JSON like { ..., "content": "logging in...", "refresh": 5, "auth": "randomsalt", ... } + 3. Pebble calculates MD5(MD5(password)+"randomsalt"), saves it as auth token and uses as Pebble-Auth HTTP request header in future requests. + 4. -> Pebble makes HTTP request after 5 seconds with Pebble-Token header and with Pebble-Auth header (calculated and stored in previous step) + 5. Server checks Pebble-Token and Pebble-Auth headers if data equal data in database (Pebble-Token <=> login, calculate MD5(password_md5_db+"randomsalt")) + 6. <- Server answers with private content (seems your need https for more security), or some error if auth failed; auth field in JSON not needed anymore, until you desire to regenerate auth token with new salt (paranoid mode) or to clear Pebble-Auth header To clear Pebble-Auth header, send { ..., "auth": "", ...} (eg logout). |