Security

Communications Security

For privacy and data integrity REST and WebSockets communications should be secured with Transport Layer Security (TLS). All communications over unsecure protocols like HTTP and WebSockets without TLS must be considered insecure even with authentication and access control mechanisms in place.

Authentication

Authentication for Signal K connections is based on a token carried in the message, or in a cookie or tokens carried in the HTTP Authorization header for a HTTP request. The tokens can be of any type.

Note: a Signal K server should never simply echo or redistribute a message received without removing or replacing the token. That would result in A's token being sent to B, which allows the B to impersonate A.

There are 3 authentication actions:

  • authenticate - login and obtain a token
  • logout - invalidate a token
  • validate - validate a token with auto-renewal if valid.

All 3 actions can be done via HTTP requests or by sending Signal K messages for non HTTP clients

Authentication via HTTP

A device or a web client can authenticate with a Signal K server by providing a username and password via a standard HTTP POST request to /signalk/«version»/auth/login.

The «version» field is the endpoint version identifier chosen by the client from those offered by the server. See the REST API documentation for the structure of these identifiers.

The client may send the login request with a Content-Type of application/json with the properties username and password in the body OR with a Content-Type of application/x-www-form-urlencoded with the username and password fields.

{
  "username": "me@somecompany.com",
  "password": "my password"
}

In response to a valid login, the server shall respond with a 200 (OK) status, set an HTTP session cookie and include the token expiry in seconds and the token value in the body of the response. The response Content-Type must be application/json.

{
  "timeToLive": 86400,
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXZpY2UiOiIxMjM0LTQ1NjUz"
}

In response to invalid login information the server must return HTTP error code 401 (Unauthorized).

If the server does not implement this authentication mechanism it must return HTTP error code 501 (Not Implemented).

Authentication via WebSockets, TCP, and Similar Transports

The client should send a the following message

{
  "requestId": "1234-45653-343454",
  "login": {
    "username": "john_doe",
    "password": "password"
  }
}

If the login is successful, the server will send a response like the following:

{
  "requestId": "1234-45653-343454",
  "state": "COMPLETED",
  "result": 200,
  "login": {
  	"timeToLive": 86400,
    "token": "eyJhbGciOiJIUzI1NiIsI...ibtv41fOnJObT4RdOyZ_UI9is8"
  }
}

If the login fails, the server will send a response like the following:

{
  "requestId": "1234-45653-343454",
  "state": "COMPLETED",
  "result": 401
}

The result codes are the same as normally used in HTTP.

Providing Authorization to the Server in Subsequent Requests

Web Based Clients

Web based clients should be sure to include the cookie or Authorization HTTP header obtained from the authentication response in all subsequent requests.

WebSockets Clients

Clients can include the authentication cookie with the initial request.

Clients can include the Authorization HTTP header with the initial connect request. The format of the header should be Bearer {token}, for example Authorization: Bearer eyJhbGciOiJIUzI1NiIsI...ibtv41fOnJObT4RdOyZ_UI9is8

Other Clients

Clients using other kinds of protocols must include the token in the Signal K messages they send.

{
  "context": "*",
  "token": "eyJhbGciOiJIUzI1NiIsI...ibtv41fOnJObT4RdOyZ_UI9is8"
  "unsubscribe": [
    {
      "path": "*"
    }
  ]
}

Token Validation

Tokens may have a short expiry time and need to be renewed periodically, or a token's current validity may be unknown.

HTTP Clients

To validate a token, a web based client should send an HTTP POST request to /signalk/«version»/auth/validate with the token in the cookie, or in the header. If the token is valid, a new token is created with new expiry time, and a new cookie or header set in the response. This effectively renews a token.

The reply message will be returned in any case.

Other Clients

Clients using other kinds of protocols can send the following message.

{
  "requestId": "1234-45653-343454",
  "validate": {
    "token": "eyJhbGciOiJIUzI1NiIsI...ibtv41fOnJObT4RdOyZ_UI9is8"
  }
}

Reply Messages

Any validation request results in one of the following messages

On success:

{
  "requestId": "1234-45653-343454",
  "state": "COMPLETED",
  "result": 200,
  "validate": {
    "token": "eyJhbGciOiJIUzI1NiIsI...ibtv41fOnJObT4RdOyZ_UI9is8"
  }
}

On error (result could be any HTTP code):

{
  "requestId": "1234-45653-343454",
  "state": "COMPLETED",
  "result": 401
}

Logout

HTTP Clients

To logout, an http based client should send an HTTP PUT request to /signalk/«version»/auth/logout with the token in the cookie or in the HTTP header.

Other Clients

Clients using other kinds of protocols should send the following message.

{
  "requestId": "1234-45653-343454",
  "logout": {
    "token": "eyJhbGciOiJIUzI1NiIsI...ibtv41fOnJObT4RdOyZ_UI9is8"
  }
}

Reply Messages

In both cases the reply will be

On success:

{
  "requestId": "1234-45653-343454",
  "state": "COMPLETED",
  "result": 200
}

On error (result could be any HTTP code):

{
  "requestId": "1234-45653-343454",
  "state": "COMPLETED",
  "result": 401
}

Device Access

Devices which don’t have any user interaction such as sensors with no input mechanisms should acquire a token using the Access Requests mechanism.