mirror/archivebox
1
0
Fork 0
mirror of https://github.com/pirate/ArchiveBox.git synced 2025-08-26 15:54:36 +02:00
Code Issues Releases Wiki Activity

Updated Setting up Authentication (markdown)

Nick Sweeting
2024-05-08 19:20:13 -07:00
parent 33bada212f
commit 5f1663a7d3
1 changed files with 24 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
Setting-up-Authentication.md

@@ -160,10 +160,11 @@ curl -X 'POST' \
<br/> <br/>
### API Bearer Token Authentication
> [!TIP] > [!TIP]
> Bearer Tokens are the recommended method for the best balance of security and usability. > Bearer Tokens are the recommended method for the best balance of security and convenience.
### API Bearer Token Authentication
Pass `Authorization=Bearer YOURAPITOKENHERE` as a request header. Pass `Authorization=Bearer YOURAPITOKENHERE` as a request header.
@@ -185,10 +186,12 @@ curl -X 'GET' \
-H 'X-API-Key: YOURAPITOKENHERE' -H 'X-API-Key: YOURAPITOKENHERE'
``` ```
<br/>
### API Query Parameter Authentication ### API Query Parameter Authentication
> [!WARNING] > [!WARNING]
> This method is sometimes known as ["Capability URLs"](https://w3ctag.github.io/capability-urls/) and comes with several [important security caveats](https://security.stackexchange.com/questions/118975/is-it-safe-to-include-an-api-key-in-a-requests-url). > This method is sometimes known as ["Capability URLs"](https://w3ctag.github.io/capability-urls/) because anyone who knows the URL can perform API actions. It comes with several [important security caveats](https://security.stackexchange.com/questions/118975/is-it-safe-to-include-an-api-key-in-a-requests-url) and is not recommended unless you fully understand the risks.
Pass `api_key=YOURAPITOKENHERE` as a GET/POST query parameter. Pass `api_key=YOURAPITOKENHERE` as a GET/POST query parameter.
@@ -198,21 +201,10 @@ curl -X 'GET' \
-H 'accept: application/json' -H 'accept: application/json'
``` ```
### API HTTP Basic Authentication
Pass your ArchiveBox admin username & password via HTTP Basic Authentication.
```bash
curl -X 'GET' \
'http://127.0.0.1:8000/api/v1/core/snapshots?limit=10' \
-u 'YOURUSERNAMEHERE:YOURPASSWORDHERE'
-H 'accept: application/json'
```
### API Session Cookie Authentication ### API Session Cookie Authentication
> [!CAUTION] > [!CAUTION]
> We recommend sticking to header-based authentication and not using this method unless you fully understand the security risks. > We recommend sticking to header-based authentication and not using this method unless you fully understand the CSRF/CORS security risks.
Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks). Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks).
@@ -225,4 +217,19 @@ curl -X 'GET' \
'http://127.0.0.1:8000/api/v1/core/snapshots?limit=10' \ 'http://127.0.0.1:8000/api/v1/core/snapshots?limit=10' \
-H 'accept: application/json' \ -H 'accept: application/json' \
-H 'Cookie: sessionid=YOURSESSIONIDVALUEHERE' -H 'Cookie: sessionid=YOURSESSIONIDVALUEHERE'
``` ```
### API HTTP Basic Authentication
> [!WARNING]
> Use of this method is fairly uncommon and is only useful in a few niche situations where other methods are not available.
> We may remove this method in future ArchiveBox releases.
Pass your ArchiveBox admin username & password via HTTP Basic Authentication.
```bash
curl -X 'GET' \
'http://127.0.0.1:8000/api/v1/core/snapshots?limit=10' \
-u 'YOURUSERNAMEHERE:YOURPASSWORDHERE'
-H 'accept: application/json'
```