User Authentication

[Luke 37064]

I just added LastLoginDate and LastActivityDate, although FYI, they are not implemented yet and will just return dummy data for now. But the properties are there for you to consume.

 

LastActivityDate is based on any kind of api call made on behalf of the user.

 

Also, fyi, this is a good resource to format the times nicely, if you want to display something like "Last seen 3 hours ago".

 

http://stackoverflow.com/questions/11/c ... ative-time

[Luke 37064]

I have added user authentication via the following:

 

- DTOUser has a HasPassword property

- If true you must authenticate the user when they sign in

 

- Make a POST request to /api/userauthentication

 

- userId and password both need to be supplied via form POST data. You can't put them on the query string

 

- You will get an AuthenticationResult back. Currently Success will always come back true. Eric and I will implement the password validation together. But this should be enough for UI devs to begin consuming it.

 

 

Note: Skip authentication if EnableUserProfiles=false

 

At the moment, there is nothing that prevents a UI developer from skipping authentication entirely. I'm wiling to take security as far as we want to take it, with things like auth tokens and the like. Right now I'm trying to be cognizant of the fact that we're just a media player hosted directly on a user's computer. But please feel free to provide feedback.

 

See ApiClient for sample usage.

[ebr 14913]

I don't think we have to be too concerned with security from the developer perspective. We are more concerned with presenting the right options than securing anything. I know PC will be tied to this as well, but that isn't a huge concern.

[Luke 37064]

One change I will introduce to the server today -

 

I want the UI's to always make the call to authenticate regardless of HasPassword or EnableUserProfiles.

 

This is just from a tracking perspective so that we know the login took place and to keep things consistent.

 

If HasPassword=false, or EnableUserProfiles=false, simply omit password from the form POST.

[Luke 37064]

Ok, I've pushed the changes to the server.

 

Please make the call to authenticate regardless of EnableUserProfiles or HasPassword.

 

LastLoginDate and LastActivityDate will now be updated while the server is running. Since we don't have a DB yet, the changes are not actually saved anywhere but you should see the values get updated throughout each server session.

[sethkaymart 0]

I was surprised at how much information is available without any authentication. /System/Info shows a lot about the host computer.

 

I'm in favor of any added security for API users, even if it's just a randomly-generated key. Are there any current settings that can limit anonymous access?

[Luke 37064]

we have stronger authentication on our roadmap. not to worry.

[sethkaymart 0]

Great news. Just donated. Keep up the good work.

[Luke 37064]

Great news. Just donated. Keep up the good work.

 

Thanks, that is much appreciated. As long as we have (team) community members like yourself, we'll keep it coming.