Authentication⚓︎
The webqueue2 API uses a two stage authentication system combining Active Directory and HTTP Token (or "bearer") authentication.
Getting an Access Token⚓︎
All API calls require an access token. You can get an access token by making a POST request to the /api/login endpoint containing the JSON encoded username and password of a valid user.
Who is a valid user?
A valid user is a non-admin BoilerAD user who is in the 00000227-ECN-webqueue group. Users cannot be added directly to this group. To be included in this group, a user must exist in one of the following groups:
00000227-ECNStaff00000227-ECNStuds00000227-ECN-webqueue-misc
Example⚓︎
Get an access token.
fetch(
"https://engineering.purdue.edu/webqueue/webqueue2/build/api/login",
{
method: "POST",
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({ "username": USERNAME, "password": PASSWORD})
}
)
.then( resp => resp.json() )
.then( data => console.log( data.access_token ))
// Expected Output
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MTY1NTIyMDIsIm5iZiI6MTYxNjU1MjIwMiwianRpIjoiZDgyNGM1MWItM2JmNy00ZDUzLWE0YTgtY2VhZWQ5ZmVjNGYzIiwiZXhwIjoxNjE2NTUzMTAyLCJzdWIiOiJjYW1wYjMwMyIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyIsImNzcmYiOiI1Yjk5NWQ5OS05YjIzLTQyMjYtYTc0OC1lMmQ5OTA4MDkzOTQifQ.6z7EReDfhPkBkuAMHEvDuMDV4wVbqrWSjQXdRyv_5hE"
Making Calls With Access Token⚓︎
To interact with the API, add an Authorization header to your request with a value of Bearer TOKEN where TOKEN is your access token.
Example:⚓︎
Get item CE 100.
let access_token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MTY1NTIyMDIsIm5iZiI6MTYxNjU1MjIwMiwianRpIjoiZDgyNGM1MWItM2JmNy00ZDUzLWE0YTgtY2VhZWQ5ZmVjNGYzIiwiZXhwIjoxNjE2NTUzMTAyLCJzdWIiOiJjYW1wYjMwMyIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyIsImNzcmYiOiI1Yjk5NWQ5OS05YjIzLTQyMjYtYTc0OC1lMmQ5OTA4MDkzOTQifQ.6z7EReDfhPkBkuAMHEvDuMDV4wVbqrWSjQXdRyv_5hE";
let queue = "ce";
let item_number = 100;
fetch(
`https://engineering.purdue.edu/webqueue/webqueue2/build/api/data/${queue}/${item_number}`,
{ headers: {"Authorization":`Bearer ${access_token}` }}
)
.then( resp => resp.json() )
.then( data => console.log( data ));
// Expected Output
{queue: "ce", number: 100, lastUpdated: "2021-03-11T07:24:00-0500" ... }
Refreshing Access Tokens⚓︎
When you login, you'll receive an access token that expires 15 minutes after creation as well as two cookies needed to get a new access token. Those cookies are:
| Name | Value | Path | Expiration | SameSite |
|---|---|---|---|---|
refresh_token_cookie |
Your refresh token. | /api/tokens/refresh |
30 Days | Yes |
csrf_refresh_token |
Additional verification data. (e.g. 7b7c1ea8-f6bb-4204-99af-cd4124a69d89) |
/ |
Session | Yes |
The refresh_token_cookie is used to generate a new access token and will be sent back to the server with every request automatically. It expires 30 days after login. The csrf_refresh_token is used to verify the refresh_token_cookie and needs sent back as an X-CSRF-TOKEN header.
To refresh your access token, make a POST request to the /api/tokens/refresh endpoint with the value of the csrf_refresh_token cookies inside a X-CSRF-TOKEN header:
Example⚓︎
Get a new refresh token.
// Get this value from your cookies.
const csrf_refresh_token = "7b7c1ea8-f6bb-4204-99af-cd4124a69d89"
fetch(
`https://engineering.purdue.edu/webqueue/webqueue2/build/api/tokens/refresh`,
{
method: "POST",
headers: {'X-CSRF-TOKEN': csrf_refresh_token}
}
)
.then( resp => resp.json() )
.then( data => console.log( data.access_token ));
// Expected Output
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MTY1NTIyMDIsIm5iZiI6MTYxNjU1MjIwMiwianRpIjoiZDgyNGM1MWItM2JmNy00ZDUzLWE0YTgtY2VhZWQ5ZmVjNGYzIiwiZXhwIjoxNjE2NTUzMTAyLCJzdWIiOiJjYW1wYjMwMyIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyIsImNzcmYiOiI1Yjk5NWQ5OS05YjIzLTQyMjYtYTc0OC1lMmQ5OTA4MDkzOTQifQ.6z7EReDfhPkBkuAMHEvDuMDV4wVbqrWSjQXdRyv_5hE