PowerScale OneFS API Reference

Implement CSRF authentication

Obtain a CSRF token to submit with each OneFS API request.

1. Send an authentication request with credentials to the OneFS session API (/session/11/session).

    $ curl -vk https://00.0.0.0:8080/session/1/session -X POST \
                -H 'Content-Type: application/json' \
                -d '{ "username": "testuser",
                      "password": "A_Pa$$word",
                      "services": ["platform"]
                    }'

   The server validates supplied credentials and performs global API authorization checks. If client identity is confirmed and authorization checks pass, the server responds with two tokens: a session token (isisessid) and an anti-CSRF token (isicsrf). Save both tokens and submit them on subsequent API requests to pass authentication checks. If authentication fails, then an appropriate HTTP error code is returned.

   Response:

   HTTP/1.1 201 Created
          Date: Thu, 25 Jan 2020 22:34:20 GMT
          Server: Apache/2.2.34 (FreeBSD) mod_ssl/2.2.34 OpenSSL/1.0.2k-fips
   mod_fastcgi/2.4.6
          Set-Cookie: isisessid=924bb64a-cffd-4d98-9ccc-6703fabc3210; path=/;
   HttpOnly; Secure; SameSite=strict
          Set-Cookie: isicsrf=8c5da1e4-5508-4609-9978-4a6d283e4c3a; path=/;
   Secure
          Content-Length: 96
          Content-Type: application/json
         
   {"services":["platform"],"timeout_absolute":14400,"timeout_inactive":900,"username":"testuser"}

2. For authenticated requests to the OneFS platform API, the client sends their OneFS session cookie. For successful CSRF request validation checks, the client also sends the CSRF token cookie that is obtained at initial authentication in a special header (X-CSRF-Token). Also send a populated Referrer header matching the connecting host.

   $ curl -vk https://00.0.0.0:8080/platform/14/auth/id \
                -b 'isisessid=924bb64a-cffd-4d98-9ccc-6703fabc3210' \
                -H 'X-CSRF-Token: 8c5da1e4-5508-4609-9978-4a6d283e4c3a' \
                --referer https://00.0.0.0:8080

   Response:

   HTTP/1.1 200 Ok
   Date: Wed, 17 Nov 2021 13:48:28 GMT
   Server: Apache
   Allow: GET, HEAD
   X-Frame-Options: sameorigin
   X-Content-Type-Options: nosniff
   Strict-Transport-Security: max-age=31536000;
   Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data:; script-src 'self' 'unsafe-eval'; 
     style-src 'unsafe-inline' 'self'; 
   Transfer-Encoding: chunked
   Content-Type: application/json
   
   {
   "ntoken" : 
   {
   "additional_id" : 
   [
   
   {
   "id" : "SID:S-1-5-11"
   },
   
   {
   "id" : "GID:5"
   },
   ],
   "gid": 
   {
    "id": "GID:0"
   },
   "group_sid": 
   {
   "id": "SID:S-1-22-2-0"
   },
   "ifs_restricted": false,
   "local_address": "10.224.36.234",
   "on_disk_group_id": 
   {
   "id": "GID:0"
   },
   "on_disk_user_id": 
   {
   "id": "UID:0"
   },
   "privilege": 
   [
               
   {
   "id": "ISI_PRIV_LOGIN_CONSOLE",
   "name": "Console",
   "permission": "r"
   }
   ],
   "protocol": 10,
   "remote_address": "10.91.79.227",
   "uid": 
   {
   "id": "UID:0"
   },
   "user_sid": 
   {
   "id": "SID:S-1-22-1-0"
   },
   "zid": 1,
   "zone_id": "System"
    }
   }