Each and every API call that is made to the OpenHIM has to be authenticated. The authentication mechanism that is used can be fairly complex to work with however it provides decent security.
The authentication mechanism is based on http://stackoverflow.com/a/9387289/588776.
The user notifies the API that it wants to use its authenticated service:
If you don't have a user account yet, you can use the root user. The default root user details are as follows:
username: root password: openhim-password (you should change this on a production installation!)
The server will respond with the salt that was used to calculate the clients passwordHash (during user registration):
You must calculate a passwordhash using the received salt and the supplied user password.
passwordhash = (sha512(salt + password))
For every request you must add the following additional HTTP headers to the request:
The server will authorise this request by calculating sha512(passwordhash + auth-salt + auth-ts) using the passwordhash from its own database and ensuring that:
- this is equal to auth-token
- the auth-ts isn't more than 2 seconds old
If these 2 conditions true the request is allowed.
Below are a few examples of how to achieve the correct request headers to authenticate to the OpenHIM API
When creating your bash file, ensure the bash script is executable