Access Management

In this section, we will look at how to perform two-factor authentication. The result of this process is an authorization token that contains the role of the user (CLIENT, SELLER, ADMIN, SUPERADMIN). This token is valid for one hour. Once the validity period has expired, you can obtain a new token by following the procedure for updating the token.

Two-factor authentication

For this operation, the call must have the authorization HTTP header set with the GUEST token. Result of the first factor authentication, is an SMS containing a code needed for the second factor authentication. The authentication process will return a CLIENT token, that we will used for further calls. 

								
  // First factor authentication
  var payload = JsonConvert.SerializeObject(new
  {
	AccountNumber = clientEmail,
	Password = "CLIENT PASSWORD"
  });

  _ = await httpClient.PostAsync("api/v1/users/authentication/first-factor", new StringContent(payload, Encoding.UTF8, "application/json"));

  // Second factor authentication
  payload = JsonConvert.SerializeObject(new
  {
	AccountNumber = clientEmail,
	SmsToken = "29894"  // Assume this is the code received by SMS
  });

  var httpResponseMessage = await httpClient.PostAsync("api/v1/users/authentication/second-factor", new StringContent(payload, Encoding.UTF8, "application/json"));
  var resultAsString = await httpResponseMessage.Content.ReadAsStringAsync();
  var authenticationResult = JsonConvert.DeserializeObject<AuthenticationSecondFactorOutputModel>(resultAsString);

  // Now, set the CLIENT token for the next requests
  var userId = authenticationResult.Id;
  var clientAuthorizationToken = authenticationResult.AccessToken;
  httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", clientAuthorizationToken);

An SMS code for two-factor authentication is sent by default. However, it is also possible to receive this code by e-mail.

Logout

This process invalidates the authentication token.

								
   _ = await httpClient.PostAsync("api/v1/users/authentication/logout", null);

If a token has become invalid due to a logout, it can no longer be updated: a new registration is required.

Refresh authentication token

As soon as the authentication token expires, each request will return the message 401 "Unauthorized" and the response will contains TOKEN-EXPIRED HTTP header with value "true". However, within the next 5 minutes, it is possible to request a new authentication token by handing over the expired authorization token and the refresh token that you received when you logged in or registered the client.

The request for a new token must be made with a valid token: For this reason, a long-lived GUEST token can be used.


  httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", GUEST_TOKEN);

  payload = JsonConvert.SerializeObject(new
  {
	UserId = userId,
	RefreshToken = authenticationResult.RefreshToken,
	AccessToken = authenticationResult.AccessToken
  });

  httpResponseMessage = await httpClient.PostAsync("api/v1/users/authentication/access-token/refresh", new StringContent(payload, Encoding.UTF8, "application/json"));
  resultAsString = await httpResponseMessage.Content.ReadAsStringAsync();
  var accessTokenOutputModel = JsonConvert.DeserializeObject<AccessTokenOutputModel>(resultAsString);

  // Set new CLIENT token for the next HTTP requests
  var newClientAuthorizationToken = accessTokenOutputModel.AccessToken;
  httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", newClientAuthorizationToken);