Authentication
In order to # a user, you need to call a request with HTTP POST method. The endpoint of this action is "api/user/#". In body, using JSON format you have to enter your's username and password as is shown below at an example. A user with this name and password exists by default for testing purposes.
{
"username": "testuser1",
"password": "Test_Password0"
}If provided username and password are correct, you will receive a response like shown below.
{
"responseCode": 200,
"baseResponseError": null,
"message": "You have been signed in successfully",
"data": {
"refreshToken": {
"token": "5DyoWy04kjtTTmHvcQzmYqVwSQTMlcleKzhavcOoQWX0xInxJ9Qr11VH0l5nIK1mfeyGxb1hacvuKbf8DWy1Ag==",
"validUntil": "2022-03-19T15:45:12.170864Z"
},
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI2NzkzODFmMi0wNmExLTRlMjItYmVkYS0xNzllOGU5ZTMyMzYiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiVGVzdFVzZXIxIiwibmJmIjoxNjQ3NTMxOTExLCJleHAiOjE2NDc1MzE5NzEsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0OjcwMDkvIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NzAwOS8ifQ.Et_NGVeJ8OU9TRIDRBXzK1w5MA2KPiTKCeVOo_5rH6s"
}
}In the response there is a "accessToken" which is JSON Web Token. This token contains some information about user and allows the user to authorize to some resources.
Beyond that, in the response user receives a "refreshToken" and it's time of expiration. This token is used to generate new JSON Web Token.
An access token received after # action is active for a short period of time (few minutes). This is necessarily for security reasons. In order not to have to log in again after such a short time, the user gets a second token (refreshToken) with a longer validity period. This token doesn't participate in the authorization. It is used only to generate a new JWT.
If you are logged in (your's refresh token is alive) and your's access token (JWT) expires (when you try to invoke an action that requires authorization and you are getting a 401 Unauthorized code) you have to send a request with HTTP POST method on "api/user/#" endpoint. In header (!!!TODO: change to body !!!) you have to enter your's refresh token and expired access token. You will receive new access token (JWT) and new refresh token, like when you log in.
{
"refreshToken": {
"token": "d6myiwH4hUQH5DW6bheuCT+xhSIONRCKaJnS2/iaqs1a4Xz8rL7qmk9qcB4ByBCb0W0nfCSDN4Pde+FGQ//uBQ==",
"validUntil": "2022-03-19T16:40:17.8718525Z"
},
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjY3OTM4MWYyLTA2YTEtNGUyMi1iZWRhLTE3OWU4ZTllMzIzNiIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiOiJUZXN0VXNlcjEiLCJuYmYiOjE2NDc1MzUyMTcsImV4cCI6MTY0NzUzNTI3NywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NzAwOS8iLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NzAwOS8iLCJodHRwczovL2xvY2FsaG9zdDo3MDA5LyJdfQ.ohiO8gWC7tWR_WPNmb2MkLMb_-ZqaywEwxlW0_C99lQ"
}If you want to sign out yourself, you have to send a request with HTTP POST method on "api/user/logoff" endpoint with the active access token in a body. Logging out a user involves deleting the refresh token from the database.
In general case, to access resources available to logged-in users, you have to specyfy in a request header a field with key "Authorization" and value "Bearer JWT", where JWT is a accessToken received in a response from login action (or refreshToken action).
In a Swagger it is possible to enter a JWT once and use it until it expires. You have to click green button with "Authorize" caption.
In the window that will then appear you have to enter "Bearer JWT", similar to that described above.
After pressing a "Authorize" button, you will be "logged in".
