8.1.2 Security Token
The API links calling the upload pop up tool can be protected from being manually copied and used by a different user under the existing SessionID.
Token based security is used to protect a call to upload tool.
Token is encrypted by an application calling Thru API using a secret key shared with Thru.
The token it passed to the Thru server and is decrypted using the shared key.
Security token structure for upload tool is represented in JSON with following fields:
Where the parameters are:
Version : version of token object. Supported value: 1.
*FolderID *: ID of folder that is used for files/folders uploading by upload tool, returned by one of folder management API calls.
Email : email of a user to record in audit records with operation. Could be different from a user account which opened a Thru server.
AllowedIP : IP address allowed to perform the upload, will be checked by Thru server. If the IP address of connecting browser does not match AllowedIP, operation is blocked.
TimeStamp : time of token creation, used for token validation to protect against token replay. Thru server will check that token is not beyond expiration time interval defined in Thru server. Note: Date should be strictly in the format MM/DD/YYY H:MM PM
Session : unique identifier of the Thru user session received as result of Open() or OpenImmutable() call. Will be used for access control and logging purposes.
The following methods and options should be used by calling application to encrypt the token :
Encryption algorithm: Advanced Encryption Standard (AES-256) symmetric algorithm.
Encryptor specified key: shared key in base64string format
Initialization vector (IV): shared key in base64string format
Security token for URL should use base64string format.
Sample of token encryption parameters:
Encryptor specified key: AFA3wdfEuCrdFw8QaHFzN6LRXaBoCTHxcWnqNImp7g3=
Initialization vector (IV): JHnmhMkTjkl8fHqYx/l7bA==
Encrypted token in base64string format: