burgernotes-server/APIDOCS.md

87 lines
2.9 KiB
Markdown
Raw Normal View History

2023-08-05 23:28:57 +01:00
# Burgernotes API docs
Use the Burgernotes API to automate tasks, build your own client, and more!
Headers should be: "Content-type: application/json; charset=UTF-8" for all POSTs
2023-08-06 18:17:28 +01:00
2023-08-05 23:28:57 +01:00
## Authentication
POST - /api/signup - provide "username" and "password".
2024-02-26 16:52:02 +00:00
POST - /api/login - provide "username", "password", "passwordchange" (must be "yes" or "no") and "newpass"
2023-08-05 23:28:57 +01:00
2024-02-25 19:41:46 +00:00
To prevent the server from knowing the encryption key, the password you provide in the request must be hashed with the SHA-3 with 128 iterations (the hash is hashed again 128 times).
2024-02-26 16:52:02 +00:00
If you wish to change the user's password, set "passwordchange" to "yes" and "newpass" to the new hash.
2024-02-25 19:41:46 +00:00
2024-02-25 19:38:36 +00:00
Some users use the legacy argon2id mode (by which i mean about 8, so only implement if you feel like it), and to implement argon2id functionality, you hash like this:
2023-08-06 18:19:38 +01:00
Parallelism should be 1
2024-02-25 19:38:36 +00:00
2023-08-06 18:19:38 +01:00
Iterations should be 256
2024-02-25 19:38:36 +00:00
2023-08-06 18:19:38 +01:00
Memory Allocated in bytes should be 512
2024-02-25 19:38:36 +00:00
2023-08-06 18:19:38 +01:00
Length of Hash should be 32 bytes
2024-02-25 19:38:36 +00:00
2023-08-06 18:19:38 +01:00
The output should be in the encoded format, not the hashed format
2024-02-25 19:38:36 +00:00
2024-02-25 19:41:46 +00:00
Salt should be the SHA512 of the password
2024-02-25 19:38:36 +00:00
2024-02-25 19:41:46 +00:00
(Yes i know this is really bad practice, guess why we are replacing it)
2023-08-06 18:19:38 +01:00
2024-02-25 19:41:46 +00:00
To test if SHA-3 or argon2 is used, just try the SHA-3 and if 422 gets returned try argon2.
2023-08-06 18:19:38 +01:00
2024-02-25 19:41:46 +00:00
(For the sake of all of us, change the password to the SHA-3 hash)
2023-08-05 23:28:57 +01:00
2024-02-25 19:38:36 +00:00
2024-02-23 11:32:47 +00:00
Password should be at least 8 characters, username must be under 20 characters and alphanumeric.
2023-08-05 23:28:57 +01:00
If username is taken, error code 422 will return.
Assuming everything went correctly, the server will return a secret key.
You'll need to store two things in local storage:
- The secret key you just got, used to fetch notes, save stuff etc.
2024-02-25 19:41:46 +00:00
- A SHA512 hashed password, used as encryption key
2023-08-05 23:28:57 +01:00
## Encryption
Note content and title is encrypted using AES 256-bit.
2024-02-25 19:41:46 +00:00
Encryption password is the SHA512 hashed password we talked about earlier.
2023-08-05 23:28:57 +01:00
## Basic stuff
POST - /api/userinfo - get user info such as username, provide "secretKey"
POST - /api/listnotes - list notes, provide "secretKey"
note titles will have to be decrypted.
POST - /api/newnote - create a note, provide "secretKey" and "noteName"
"noteName" should be encrypted.
POST - /api/readnote - read notes, provide "secretKey" and "noteId"
note content will have to be decrypted.
POST - /api/editnote - edit notes, provide "secretKey", "noteId", and "content"
"content" should be encrypted.
2024-02-27 00:19:27 +00:00
POST - /api/editnotetitle - edit note titles, provide "secretKey", "noteId", and "content"
"content" should be encrypted.
2023-08-05 23:28:57 +01:00
POST - /api/removenote - remove notes, provide "secretKey" and "noteId"
## More stuff
POST - /api/deleteaccount - delete account, provide "secretKey"
please display a warning before this action
POST - /api/exportnotes - export notes, provide "secretKey"
2023-08-19 18:20:37 +01:00
note content and title will have to be decrypted
POST - /api/sessions/list - show all sessions, provide "secretKey"
2024-02-25 19:41:46 +00:00
POST - /api/sessions/remove - remove session, provide "secretKey" and "sessionId"