HTTP Basic Authentication¶
The default method for securing the Ralph API server is HTTP Basic Authentication. For this, we need to create a user in Ralph LRS.
Creating user credentials¶
To create a new user credentials, Ralph CLI provides a dedicated command:
Tip
You can either display the helper with ralph auth --help or check the CLI tutorial here
This command updates your credentials file with the new janedoe user.
Here is the file that has been created by the ralph auth command:
[
{
"agent": {
"mbox": "mailto:janedoe@example.com",
"objectType": "Agent",
"name": null
},
"scopes": [
"statements/write",
"statements/read"
],
"hash": "$2b$12$eQmMF/7ALdNuksL4lkI.NuTibNjKLd0fw2Xe.FZqD0mNkgnnjLLPa",
"username": "janedoe"
}
]
Alternatively, the credentials file can also be created manually. It is expected to be a valid JSON file. Its location is specified by the RALPH_AUTH_FILE configuration value.
Tip
By default, Ralph LRS looks for the auth.json file in the application directory (see click
documentation for
details).
The expected format is a list of entries (JSON objects) each containing:
- the username
- the user’s hashed+salted password
- the scopes they can access
- an
agentobject used to represent the user in the LRS.
Info
The agent is constrained by LRS specifications, and must use one of four valid Inverse Functional Identifiers.
Making a GET request¶
After changing the docker-compose.yml file as follow:
version: "3.9"
services:
lrs:
image: fundocker/ralph:latest
environment:
RALPH_APP_DIR: /app/.ralph
RALPH_RUNSERVER_BACKEND: fs
RALPH_RUNSERVER_AUTH_BACKENDS: basic
ports:
- "8100:8100"
command:
- "uvicorn"
- "ralph.api:app"
- "--proxy-headers"
- "--workers"
- "1"
- "--host"
- "0.0.0.0"
- "--port"
- "8100"
volumes:
- .ralph:/app/.ralph
we can request the whoami endpoint again, but this time sending our username and password through Basic Auth:
Congrats! 🎉 You have been successfully authenticated!
HTTP Basic auth caching
HTTP Basic auth implementation uses the secure and standard bcrypt algorithm to hash/salt passwords before storing them. This implementation comes with a performance cost.
To speed up requests, credentials are stored in an LRU cache with a “Time To Live”.
To configure this cache, you can define the following environment variables:
- the maximum number of entries in the cache. Select a value greater than the maximum number of individual user credentials, for better performance. Defaults to 100.