Big picture
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Provision a new user on Move
The current API does not allow a password to be set when creating the user. Therefore a new endpoint is proposed.
The API MUST implement the POST endpoint specified at Users
The API MUST support the client using a PSK sent in the Authorization header for this endpoint (eventually this will become an OAuth2 token)
The API MUST hash the password with the SHA-256 algorithm and then apply the bcrypt algorithm before persisting it
The API SHOULD have a configurable system hash configuration (for future support of password_needs_rehash)
The API MUST verify that the username conforms to the format [0-9]{5}@kabelnoord.nl
Note: Hashing with SHA-256 prior to applying bcrypt is not intended to increase our system security (it doesn't add entropy so is not terribly effective at increasing security). We're doing this to allow the STB to store a hashed password to make it harder for opponents to see the password in the clear and try use it on other services belonging to the user. See /wiki/spaces/BPLAT/pages/38554857