Authorization

API Authorization

FasTnT EPCIS repository uses HTTP basic auth to authenticate and authorize users requests by default. Thus, any deployment of the EPCIS repository should use HTTPS protocol in order for the credentials to be sent in a secure way.

An example of valid header (username: test, password: PwdTest) is: Authorization: Basic dGVzdDpUZXN0UHdk

Unauthorized requests (without Authorization header or with invalid credentials) will return a 401 Unauthorized response.

A request with a valid header will have the following behavior:

• A capture event/masterdata request will store a hash of the username/password with the request in the database;
• A query will only return the events that were captured using the exact same username/password values. This is also valid for the EPCIS 2.0 top-resources discovery endpoints;

The subscriptions created will also automatically apply the same filter, so only the events captured using the same credentials will be returned.

As the user management is outside of the scope of an EPCIS repository, users are not stored in the database. This solution was chosen to make it easy to change the authorization method easily for any deployment.

If the default authorization method is used, each request will be assigned a hash of the username/password credentials, and a user can only see events/masterdata that were created with the same credentials.

This behavior can be changed really easily by providing and registering a custom implementation of the FasTnT.Application.Services.Users.ICurrentUser interface.