Sessions (sessions)

Requests

HTTP verb Endpoint Description

POST

/rest/v1/iam/sessions

Creating a session (login)

GET

/rest/v1/iam/sessions/current

Retrieving data on the current session

PATCH

/rest/v1/iam/sessions/current

Changing the current session

DELETE

/rest/v1/iam/sessions/current

Deleting the current session (logout)

Creating a session (login)

Authenticates the user to the domain, creates a session and sets a cookie (RSession) or returns a token (session_token) in response to a request.

Thereafter, all requests containing a RSession cookie with a session ID are associated with that session. If session_type is specified, the client (web application) receives a token (session_token) in the response, must read and memorize it, and then send a header for API requests to work in the context of this individual session Authorization: Bearer <session_id>.

Applies an IP address ban filter to combat account brute force. Rejects the request without processing if an unsuccessful authorization attempt has occurred 5 times within the previous 3 minutes (wrong combination of parameters domain, login, pwd).

When requests with a non-existent session ID are received, it applies a ban filter using the same rules.

Request

Table 1. Request parameters
Specification Description

Name: domain
Type: str

Domain for authorization.

Name: login
Type: str

The login credentials of the user account in the domain.

Name: pwd
Type: str

The password for the user account in the domain.

Name: session_type
Type: str
Default: none

The type of session to be created. Possible values:

  • 'token' – an individual session will be created, the identifier of which will be returned in the response body instead of the cookie header. This value should be passed in the cookie header in the future "Authorization: Bearer TOKEN".

  • 'token_clone_cookie' – opens a new session by copying credentials from the session via a cookie (which is sent by the browser automatically). If 'domain', 'login', 'pwd' parameters are not required, they will be ignored.

  • 'cookie' - a standard session will be created and set in the header cookie.

  • if there is no value, it is equivalent to 'cookie'

Name: token
Type: str Default: none

External token. If the parameter is set, a service script for verifying the external token installed in the system is run instead of password verification (master-domain parameter 'iam_token_svcscript_code'). The parameters 'domain', 'login', 'pwd' are not required, they will be ignored. To confirm authentication, the script must return the name of the existing domain and the login of the existing user in the domain in variables with special names.
Example of a request to create a session
POST /rest/v1/iam/sessions HTTP/1.1
Content-Type: application/json; charset=utf-8

{
  "domain": "docs.rootdomain.ru",
  "login": "peter",
  "pwd": "123"
}
Example of a request to create an individual session
POST /rest/v1/iam/sessions HTTP/1.1
Content-Type: application/json; charset=utf-8

{
  "session_type": "token",
  "domain": "kzn.tele.dom",
  "login": "username",
  "pwd": "userpass"
}
Example of a request to clone a cookie session into an individual session
POST /rest/v1/iam/sessions HTTP/1.1
Cookie: RSession=07f49a96-0178-a220-2e37-e0d55e0cd303
Content-Type: application/json; charset=utf-8

{
  "session_type": "token_clone_cookie"
}

Response

Session creation
HTTP/1.1 204 No Content
set-cookie: RSession=6ef97511-0178-a21d-bd9a-e0d55e0cd303; Expires=Mon, 19 Apr 2021 12:59:21 GMT; Path=/; SameSite=Strict
Creating an individual session or cloning
HTTP/1.1 200 OK

{
  "session_token": "e2479460-0174-01d8-6638-e0d55e0cd13e"
}

Retrieving data on the current session

The session is identified first by the token (Authorization header) if it is present and valid (lifetime has not expired), otherwise by the cookie.

Returns the data for the current session:

Field Type Description

domain

str

current domain name

domain_is_master

bool

true, if the current domain is a master, otherwise false

domains

array<object>

list of domains to which the user can switch without additional authorization

login

str

authorized user login

name

str

authorized user name

name_login

str

a single string containing the name and login of the authorized user

roles

array<str>

list of authorized user roles in the current domain

solution

str

current domain solutio type

tags

array<str>

authorized user account tags

user_id

uuid

authorized user ID

webapps

array<object>

list of web applications available to an authorized user

The domains field. Each domain is specified as an object:

Field Type Description

domain

str

domain name

is_master

bool

true, if the domain is a master, otherwise false

The webapps field. Each web application is specified as an object:

Field Type Description

name

str

application name

description

str

application description

order

int

withdrawal order

icon

str

URL application icon resource

fa-icon

str

icon name in the format font-awesome

roles

array<str>

list of user roles to which the application is available

url

str

URL application launch points

Web application objects may contain additional fields that are substituted directly from metadata files (webapps.json in the solushen metadata folder for system applications and in the role application metadata file).

Request

Request example
GET /rest/v1/iam/sessions/current HTTP/1.1

Response

Response example
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
  "domain": "docs.rootdomain.ru",
  "domain_is_master": false,
  "domains": [
    {
      "domain": "rootdomain.ru",
      "is_master": true
    },
    {
      "domain": "test.rootdomain.ru",
      "is_master": false
    }
  ],
  "login": "peter",
  "name": "Peter Bukashin",
  "name_login": "Peter Bukashin (peter)",
  "roles": [
    "admin"
  ],
  "solution": "incoplax",
  "tags": [],
  "user_id": "71374fef-42f1-4e49-2069-faab905d4be2",
  "webapps": [
    {
      "name": "Objects",
      "order": 130,
      "fa-icon": "fa-paw",
      "icon": "/main_icons/objects.svg",
      "roles": [
        "admin"
      ],
      "url": "/objects"
    },
    {
      "name": "Scenarios",
      "order": 150,
      "fa-icon": "fa-pencil-square-o",
      "icon": "/main_icons/scripteditor.svg",
      "roles": [
        "scripteditor",
        "admin"
      ],
      "url": "/scripteditor"
    }
  ]
}

Changing the current session

Reassigns the current session to another domain, one available for direct switching without authorization. The session is handled either by token only if the Authorization header is present, or by cookie only. If the token is present but not valid, no work with the cookie takes place.

Request

Request example
PATCH /rest/v1/iam/sessions/current HTTP/1.1
Content-Type: application/json; charset=utf-8

{
  "domain": "test.rootdomain.ru"
}

Response

HTTP/1.1 204 No Content
set-cookie: RSession=07f49a96-0178-a220-2e37-e0d55e0cd303; Expires=Mon, 19 Apr 2021 13:02:24 GMT; Path=/; SameSite=Strict

Deleting the current session (logout)

Deletes the current session.

  • If the Authorization header is present in the request, an attempt will be made to delete the session bound to the token specified in it. The session bound to the cookie is not affected.

  • If the Authorization header is missing, the session specified in the cookie.

Request

Request example
DELETE /rest/v1/iam/sessions/current HTTP/1.1

Response

HTTP/1.1 204 No Content
set-cookie: RSession=deleted; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; SameSite=Strict
  • Personalization
  • Increase font size
  • Decrease font size