nano-run/_docs/authorization.md

# Authorization

By-default - authorization disabled. Multiple policies allowed. 
To allow request at least one policy should be passed.
Each authorization policy can enabled by `enable: yes` param.

Section in `server.yaml`: `authorization`

## JWT

*section: `authorization.jwt`*

[Overview](https://jwt.io/)

HMAC 256 signature validation against secret key

Configurable parameters:

* `header` (optional, string, default: `Authorization`) - header that contains JWT
* `secret` (required, string) - secret key to validate signature

Example minimal unit config

```yaml
command: 'echo hello world'
authorization:
    jwt:
      enable: yes
      secret: '$eCrEtKey'
```

## Query token

*section: `authorization.query_token`*

Plain token in a query string. Will be matched against list of allowed tokens.

For example, client can invoke endpoint by addition token query: `http://example.com/app/?token=deadbeaf`

Configurable parameters:

* `param` (optional, string, default: `token`) - query param where token should be placed
* `tokens` (required, []string) - list of allowed tokens

Example minimal unit config with 3 tokens

```yaml
command: 'echo hello world'
authorization:
    query_token:
      enable: yes
      tokens:
        - my-token-1
        - his-token-2
        - deadbeaf
```

## Header token

*section: `authorization.header_token`*

Plain token in a header. Will be matched against list of allowed tokens.

For example, client can invoke endpoint by curl: 

    curl -H 'X-Api-Token: deadbeaf' http://example.com/app/

Configurable parameters:

* `header` (optional, string, default: `X-Api-Token`) - header name where token should be placed
* `tokens` (required, []string) - list of allowed tokens

Example minimal unit config with 3 tokens

```yaml
command: 'echo hello world'
authorization:
    header_token:
      enable: yes
      tokens:
        - my-token-1
        - his-token-2
        - deadbeaf
```

## Basic

*section: `authorization.basic`*

Basic authentication. [Overview](https://en.wikipedia.org/wiki/Basic_access_authentication)

For example, client can invoke endpoint by curl: 

    curl -u 'alice:admin' http://example.com/app/

To [calculate](https://unix.stackexchange.com/a/419855) hash you may use `htpasswd` (Debian/Ubuntu: `sudo apt install apache2-utils`)

    htpasswd -bnBC 10 "" password | tr -d ':'

where `passsword` is a desired password for the user.

Configurable parameters:

* `users` (string->string, required) - map of users and their hashed password by bcrypt

Example minimal config:

```yaml
command: 'echo hello world'
authorization:
    basic:
      enable: yes
      users:
        alice: '$2y$10$cUe3n8NHaxee.AaGzT8wF.nirPnjv5YLEQGTsLiiMiUAknM2aF2FS'
        bob: '$2y$10$iSczi.MlKTrMv3h0Zf.GDeW1NS6ZWxBgtj4ytrKKDrR2s2wIxq5Qa'
```
initial code added 2020-09-10 10:11:34 +00:00			`# Authorization`

			`By-default - authorization disabled. Multiple policies allowed.`
			`To allow request at least one policy should be passed.`
			Each authorization policy can enabled by `enable: yes` param.

			Section in `server.yaml`: `authorization`

			`## JWT`

			section: `authorization.jwt`

			`[Overview](https://jwt.io/)`

			`HMAC 256 signature validation against secret key`

			`Configurable parameters:`

			* `header` (optional, string, default: `Authorization`) - header that contains JWT
			* `secret` (required, string) - secret key to validate signature

			`Example minimal unit config`

			```yaml
			`command: 'echo hello world'`
			`authorization:`
			`jwt:`
			`enable: yes`
			`secret: '$eCrEtKey'`
			```

			`## Query token`

			section: `authorization.query_token`

			`Plain token in a query string. Will be matched against list of allowed tokens.`

			For example, client can invoke endpoint by addition token query: `http://example.com/app/?token=deadbeaf`

			`Configurable parameters:`

			* `param` (optional, string, default: `token`) - query param where token should be placed
			* `tokens` (required, []string) - list of allowed tokens

			`Example minimal unit config with 3 tokens`

			```yaml
			`command: 'echo hello world'`
			`authorization:`
			`query_token:`
			`enable: yes`
			`tokens:`
			`- my-token-1`
			`- his-token-2`
			`- deadbeaf`
			```

			`## Header token`

			section: `authorization.header_token`

			`Plain token in a header. Will be matched against list of allowed tokens.`

			`For example, client can invoke endpoint by curl:`

			`curl -H 'X-Api-Token: deadbeaf' http://example.com/app/`

			`Configurable parameters:`

			* `header` (optional, string, default: `X-Api-Token`) - header name where token should be placed
			* `tokens` (required, []string) - list of allowed tokens

			`Example minimal unit config with 3 tokens`

			```yaml
			`command: 'echo hello world'`
			`authorization:`
			`header_token:`
			`enable: yes`
			`tokens:`
			`- my-token-1`
			`- his-token-2`
			`- deadbeaf`
			```

			`## Basic`

			section: `authorization.basic`

			`Basic authentication. [Overview](https://en.wikipedia.org/wiki/Basic_access_authentication)`

			`For example, client can invoke endpoint by curl:`

			`curl -u 'alice:admin' http://example.com/app/`

			To [calculate](https://unix.stackexchange.com/a/419855) hash you may use `htpasswd` (Debian/Ubuntu: `sudo apt install apache2-utils`)

			`htpasswd -bnBC 10 "" password \| tr -d ':'`

			where `passsword` is a desired password for the user.

			`Configurable parameters:`

			* `users` (string->string, required) - map of users and their hashed password by bcrypt

			`Example minimal config:`

			```yaml
			`command: 'echo hello world'`
			`authorization:`
			`basic:`
			`enable: yes`
			`users:`
			`alice: '$2y$10$cUe3n8NHaxee.AaGzT8wF.nirPnjv5YLEQGTsLiiMiUAknM2aF2FS'`
			`bob: '$2y$10$iSczi.MlKTrMv3h0Zf.GDeW1NS6ZWxBgtj4ytrKKDrR2s2wIxq5Qa'`
			```