slips

SLIP-81

Bearer Token Auth System for Testing Servers

draft optional author:melvincarvalho author:stevebate

This SLIP defines the Bearer Token Auth system, an authentication mechanism for testing purposes that uses an API Key provided through an environment variable. This system aims to offer a balance between ease of setup for implementers and basic access control:

• The Bearer Token Auth system MUST validate PUT, POST, and DELETE requests using the API Key provided in the SOLID_API_KEY environment variable.
• The server MUST respond with a 401 Unauthorized status code if the provided bearer token does not match the SOLID_API_KEY.
• Implementers SHOULD ensure that the SOLID_API_KEY is kept secure and not hard-coded into application code.

Implementation Example with Express.js

The following middleware can be added to an Express.js application to protect routes that modify data:

// Add middleware to protect routes
const protectRoutes = (req, res, next) => {
  if (['PUT', 'POST', 'DELETE'].includes(req.method)) {
    const authHeader = req.headers.authorization;
    const apiKey = process.env.SOLID_API_KEY;
    
    // Check if the Authorization header is present and formatted correctly
    if (!authHeader || !authHeader.startsWith('Bearer ') || authHeader.split(' ')[1] !== apiKey) {
      return res.status(401).send('Unauthorized');
    }
  }
  next();
};

app.use(protectRoutes);

• The middleware checks for the presence and correctness of the Authorization header. If the header is missing, not a bearer token, or the bearer token does not match the SOLID_API_KEY, it returns a 401 Unauthorized response.

Security Considerations

1. The API Key should be unique and complex enough to avoid unauthorized access through guessing or brute-force attacks.

2. It is recommended to regularly rotate the API Key to reduce the risk of the key being compromised.

3. The Bearer Token Auth system should be used in conjunction with HTTPS to prevent the API Key from being intercepted in transit.

4. Access to the SOLID_API_KEY environment variable should be restricted to maintain the integrity of the auth system.

Warning

While the Bearer Token Auth system provides basic security, it is not recommended for production use where more robust authentication and authorization mechanisms are required.

Conclusion

The Bearer Token Auth system is designed for simplicity and ease of use in testing environments. It offers a straightforward method for protecting routes that alter server state while allowing unobstructed access for read operations. However, its use should be limited to environments where data security is not a critical concern.