signalk-server
signalk-server copied to clipboard
SignalK
Authorization validation endpoint is missing
The spec describes the /signalk/v1/auth/validate endpoint that could be used to validate the auth token. However, looking at the code and the tests, the endpoint would seem to be missing. I'd need some way to test the token to fix SensESP websocket connection semantics.
Some background: SensESP currently tests the token validity using the /signalk endpoint, but it would seem that the endpoint ignores the Authorization header, and the test always succeeds. (Not sure if the SensESP implementation has always been faulty or whether the server semantics have changed.) The websocket library used in SensESP doesn't provide any information on a disconnect event, so deducing the disconnection reason is not possible. If a previously valid token gets invalidated on the server, SensESP never gets the memo and won't be able to connect unless the device is reset.
I noticed that I am able to make a HTTP request to the websocket endpoint /signalk/v1/stream?subscribe=none as a workaround, but there's another bug, reported in #1397.
Continuing here: /signalk/v1/auth/validate functionality in the spec is geared towards refreshing a token than checking if it is ok and what kind of access it has.
@wellenvogel (in Slack) asked for a way to check if the session / credential has write access for sending notifications, meaning certain paths. The server supports Access Control Lists (that I think very few people use, but nevertherless) so write access may not universal.
What this leads to is that I think we should have a way to actually validate a credential, without creating a new one, and to get more data than yes/no back. Sounds like a new endpoint to me, or a way to call the one defined in the spec without creating new tokens.
The user should be able to query for write access to a list of paths.
Still missing, and cannot get workaround with /stream?subscribe=none to work, always get 426 either logged in or not.
