Authentication and access control

The authentication system is mostly based on the Ruby on Rails stateless session authentication system. This means that the server does not store generic session data on the server side, but instead sends a token to the client that is used to authenticate the user on subsequent requests.

You can find the authentication logic in the @snip/auth package found in the packages/auth directory.

We defined multiple level of access control:

• Public: No authentication required
• Protected: Authentication required via session
• Protected books: Authentication required via session and the user must have permission to access the book

Additionally we allow access via user created tokens. There are two types of tokens.

• Sharable links/ui tokens: These tokens can be generate to grant read only access to a book. They are generated by the user and can be revoked at any time. They are stored in the database. And on the first request generate a session token that is used for subsequent requests.

• API tokens: These tokens are generated by the user and can be revoked at any time. They are stored in hashed form in the database. They are used to authenticate automated requests to the API. They have to be set as a header Authorization: Bearer <token>.