Each mutation query must be authenticated to take affect.
Although querys do NOT need authentication,
some may need a client_identifier to return the wished data.
In these cases <api key indetifier> and <hash> can just be left empty or set anyways.
Authentication is done using the HTTP Authorization header.
It must be set to the following:
Mensa <base64 of auth info>
where <base64 of auth info> is a base 64 encoding according to RFC 3548 using padding of:
<client_id>:<api key identifier>:<hash>
This string consists of three parts separated by :.
| placeholder | description |
|---|---|
<client_id> |
Randomly generated UUID identifying the client |
<api key indetifier> |
First 10 symbols of an api key. It can be requested from TODO. |
<hash> |
Base64 of Hash see below |
The hash is calculated as an Sha512 HMAC over the HTTP request body (for normal - non-multipart - requests). As key an UTF8 encoding of the api key is used.
For Multipart Requests arising from file Uploads (for addImage) the HMAC is only calculated of the body of the request JSON part (with name operations).
For more details on the GraphQL multipart standart see the spec.