=========
API v1.0
=========


.. warning:: This api is in development. Changes can and will be made without notice.

The base url is:  https://sgauth.intemo.com/

.. |HOST| replace:: https://sandgrain.intemo.com

Routing table
=============
:ref:`routingtable`

Authentication API
==================

The authentication api can be invoked by client to verify if credentials are ok.
This is typically invoked by mosquitto  (mosquitto-go-auth plugin).

mosquitto
---------
This api implements the http interface of `mosquitto-go-auth <https://github.com/iegomez/mosquitto-go-auth>`_



See table below for configuration items

===========================  ================================
config item                  value
===========================  ================================
auth_opt_backends            `http`
auth_opt_http_host           `sgauth.intemo.com`
auth_opt_http_port           `443`
auth_opt_http_getuser_uri    `/api/1.0/auth/mqtt/getuser`
auth_opt_http_aclcheck_uri   `/api/1.0/auth/mqtt/aclcheck`
auth_opt_http_superuser_uri  `/api/1.0/auth/mqtt/superuser`
auth_opt_http_with_tls       `true`
auth_opt_http_response_mode  `status`
auth_opt_http_params_mode    `json`
auth_opt_http_timeout        `2`
===========================  ================================




getuser
-------
.. http:post:: /api/1.0/auth/mqtt/getuser
  :synopsis: Authenticate user

  This is the `auth_opt_http_getuser_uri` url that mosquitto-go-auth invokes.

  **Example request**:

  .. sourcecode:: http

    POST /api/1.0/auth/mqtt/getuser HTTP/1.1
    Host: sgauth.intemo.com
    Content-Type: application/json

     {
        "clientid": "auto-E0CC51DE-815E-3502-0BF4-7796C60893BB",
        "password": "test",
        "username": "test"
     }

  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 201 CREATED


  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 401 Unauthorized


  :<json str clientid: mqtt clientid
  :<json str username: mqtt username
  :<json str password: password to be validated
  :status 201: credentials are accepted
  :status 401: Not authorized, provided credentials are not accepted

aclcheck
--------

.. http:post:: /api/1.0/auth/mqtt/aclcheck
  :synopsis: Check access for user

  This is the `auth_opt_http_aclcheck_uri` url that mosquitto-go-auth invokes.

  **Example request**:

  .. sourcecode:: http

    POST /api/1.0/auth/mqtt/aclcheck HTTP/1.1
    Host: sgauth.intemo.com
    Content-Type: application/json

    {
        "acc": 4,
        "clientid": "auto-4C71BC22-5F0B-3532-1107-55A7B7F53D3B",
        "topic": "test/#",
        "username": "test"
    }


  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 201 CREATED


  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 401 Unauthorized

  :<json int acc: action 1 is read, 2 is write, 3 is readwrite, 4 is subscribe
  :<json str clientid: mqtt clientid
  :<json str username: mqtt username
  :<json str topic: mqtt topic (may contain mqtt wildcards)
  :status 201: Access is granted
  :status 401: Access is not granted

superuser
---------

.. http:post:: /api/1.0/auth/mqtt/superuser
  :synopsis: Check if user is superuser

  This is the `auth_opt_http_superuser_uri` url that mosquitto-go-auth invokes.

  **Example request**:

  .. sourcecode:: http

    POST /api/1.0/auth/mqtt/superuser HTTP/1.1
    Host: sgauth.intemo.com
    Content-Type: application/json

    {
        "username": "test"
    }


  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 201 CREATED


  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 401 Unauthorized

  :<json str username: mqtt username
  :status 201: user is superuser
  :status 401: user is not superuser

IoT API
=======

The IoT api is an api intended for devices that contain sandgrain tokens (=sandgrain chip).
This api can be used to:

* Created a shared secret
* Store meta data



.. list-table:: abbreviations
   :widths: 25 50

   * - pccid
     - sandgrain id (32 bytes)
   * - tid
     - transaction id
   * - cw
     - challenge word (32 bytes)
   * - rw
     - reply word (16 bytes)
   * - ek
     - ephemeral key (shared secret) (16 bytes)

The following sequence diagram shows how an IOT device and sgauth establish a shared secret.
This shared secret is later used for authentication (as password)

.. uml::
   :align: center

    title establish a shared secret

    participant token as t
    participant "IOT device" as d
    participant sgauth as api
    database "sgauth db" as db
    participant cyberrock as cb


    d -> t: SPI: Read identification\n(mode 1)

    t -> d: pccid

    d -> api: POST ek-init\n{pccid}

    api -> cb: POST ekRequestCW
    cb -> api: tid, cw

    api -> d:  tid, cw

    d -> t: SPI: cw (mode 7)
    t-> d: ek, rw


    d->api: POST ek-fin\n{pccid, cw, rw, tid}\n{meta: username, client-id, ...}

    api -> cb: POST ekReplyRW
    cb -> api: tid
    api -> cb: GET ekCheckAuthStatus
    cb -> api: ek
    api -> db: store username\nclient-id
    api -> db:  Store ek\nhashed
    api -> d: HTTP/1.1 201
    d->d: store ek


Setting up an mqtt connection is shown in the sequence diagrom below.
Note that establishing an mqtt connection does not involve the sandgrain token (on the device), nor the cyberrock api. It uses the shared secret (ek) stored in the device, and stored hashed in sgauth.


.. uml::
   :align: center

    title setup mqtt connection

    participant "IOT device" as d
    participant "MQTT server" as m
    participant sgauth as api
    database "sgauth db" as db


    d -> d: read ek as password
    d -> d: read username, clientid
    d -> m: connect\nusername, clientid, password

    m->api: POST getuser\nusername,clientid, password
    api -> db: validate username, clientid, password
    api->m: HTTP 201
    note right: 20X means allowed
    m-> d: connection established

    d-> m: subscribe topic
    m-> api: POST aclcheck\nusername,clientid, topic
    api->db: Check acl rules
    api->m: HTTP 201
    m->d: subscribed


Initiate EK
-----------
.. http:post:: /api/1.0/iot/ek-init
  :synopsis: Start EK exchange

  Initiate an ephemeral key exchange
  Nodes, Schedules all belong to an organization.


  **Example request**:

  .. sourcecode:: http

    POST /api/1.0/iot/ek-init HTTP/1.1
    Host: sgauth.intemo.com
    Content-Type: application/json
    Authentication: Basic dXNlcjpzZWNyZXQ=

    {
        "sg": {
           "pccid": "800000000000000000000000000000188d7aa5f9036480c8aa62f400023f2faa"
        }
    }

  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 201 OK
    Content-Type: application/json; charset=utf-8

    {
        "sg": {
           "cw": "93ceada15860e236d36a90398596e18879c785aa06aa03aab1db27a6da6939fd",
           "tid": "411fbdb2-b2df-4ef9-a953-4a823ef471a1"
        }
    }


  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 503 Service Unavailable


  :query pretty: bool: if true, json will we returned pretty formatted
  :<json str pccid: 32 bytes, hex encoded pccid of sandgrain token
  :>json str cw: sandgrain challenge word, 32 bytes, hex encoded
  :>json str tid: sandgrain transaction id, must be sent in next ek-fin api call
  :status 201: OK
  :status 401: Login or credentials required (http basic auth failed)
  :status 403: Authorization error (sandgrain error, or internal api error)
  :status 503: Upstream server (sandgrain cyberrock) is down/not responding

.. _finalize_ek:

Finalize EK
-----------
.. http:post:: /api/1.0/iot/ek-fin
  :synopsis: Finalize EK exchange

  Finalize an ephemeral key exchange.
  And optionally store meta data (if authentication succeeded).

  After this call, both the api caller (device), and the api (agauth) know a shared secret (ephemeral key).
  The device should store this in non volatile memory.
  sgauth will store this secret hashed, so that it can do password validations on it.

  **Example request**:

  .. sourcecode:: http

    POST /api/1.0/iot/ek-fin HTTP/1.1
    Host: sgauth.intemo.com
    Content-Type: application/json
    Authentication: Basic dXNlcjpzZWNyZXQ=


    {
        "sg": {
           "pccid": "800000000000000000000000000000188d7aa5f9036480c8aa62f400023f2faa",
           "cw": "93ceada15860e236d36a90398596e18879c785aa06aa03aab1db27a6da6939fd",
           "tid": "411fbdb2-b2df-4ef9-a953-4a823ef471a1",
           "rw": "410eeed408ae7c482128f1b279f79f46",
        },
       "meta": {
          "username": "8d7aa5f9036480c8aa62f400023f2faa",
          "client-id": "0004A30B01668119",
          "product": "cityzenz-connect",
          "serial": "20251200123",
          "board": "CZ-STM32-17A",
          "revision": "2A03",
          "firmware": "1.2.3-1-ga807e57",
          "location": {"latitude": 51.23, "longitude": 5.17}
      }
    }

  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 201 CREATED

    {
      "status":"ok"
    }

  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 403 FORBIDDEN

    {
      "status": "fail",
      "details": "sandgrain auth error"
    }

  :<json str pccid: sandgrain pccid of token/chip, 32 bytes, hex encoded
  :>json str cw: sandgrain challenge word, received from matching ik-init api call
  :<json str tid: sandgrain transaction id, received from matching ek-init api call
  :<json str rw: sandgrain reply word, 16 bytes, hex encoded (generated by sandgrain token chip)
  :<json  meta.username: username that system wants to use for mqtt authentication (mandatory), must be right 32 bytes of pccid or the complete pccid. must be unique.
  :<json  meta.client-id: client-id that system wants to use for mqtt authentication (optional), must be unique. If a client-id is passed, it will be used for authentication. (Then the combination username/client-id/password must match).  If not passed only username/password is used for authentication.
  :<json  meta.serial: serial number that system wants to store (optional), must be unique
  :<json  meta.board: board type that system wants to store (optional)
  :<json  meta.revision: board revision that system wants to store (optional)
  :<json  meta.firmware: firmware version that system wants to store (optional)
  :query pretty: bool: if true, json will we returned pretty formatted
  :status 201: OK
  :status 401: Login or credentials required (http basic auth failed)
  :status 403: Authorization error (sandgrain error, or internal api error)
  :status 503: Upstream server is down/not responding (try again later)


Update metadata
---------------
.. http:post:: /api/1.0/iot/meta/<id>
  :synopsis: Update metadata

  Update or create metadata.

  **Example request**:

  .. sourcecode:: http

    POST /api/1.0/iot/meta/8d7aa5f9036480c8aa62f400023f2faa HTTP/1.1
    Host: sgauth.intemo.com
    Content-Type: application/json
    Authentication: Basic dXNlcjpzZWNyZXQ=, Bearer <shared-secret>


    {
       "meta": {
          "client-id": "0004A30B01668119",
          "product": "cityzenz-connect",
          "serial": "20251200123",
          "board": "CZ-STM32-17A",
          "revision": "2A03",
          "firmware": "1.2.3-1-ga807e57",
          "location": {"latitude": 51.23, "longitude": 5.17}
      }
    }

  **Example response**:

  .. sourcecode:: http

    HTTP/1.1 201 CREATED

  :reqheader Authorization: Bearer + shared secret as exchanged in :ref:`finalize_ek`)
  :param id: sandgrain id (right 16 bytes of pccid)
  :query pretty: bool: if true, json will we returned pretty formatted
  :<json str meta.client-id: client-id to user for mqtt authentication (May be empty, maybe identical to username, may be different)
  :<json str meta.serial: unique serial number of device  (eg: "20250400125")
  :<json str meta.board: Board type
  :<json str meta.revision: Board revision
  :<json str meta.firmware: software firmware version
  :<json str meta.location: gps location of device (at moment of key registration)
  :<json str meta.product: Product range identifier
  :status 201: OK
  :status 401: Login or credentials required (http basic auth failed, or http bearer auth failed, see response)