Autentifikacija

SMSBAT ChatHub API koristi dvorazinski sustav provjere autentičnosti temeljen na JWT tokenu s tokenima tvrtke i tokenima operatera.

Tijek provjere autentičnosti

graph TD
    A[Login Credentials] --> B[Get Company Token]
    B --> C[Use Company Token]
    C --> D[Get Operator Token]
    D --> E[Use Operator Token]
    E --> F[Validate Token]

Token tvrtke

Tokeni tvrtke omogućuju pristup ChatHub API-ju na razini organizacije.

Nabavite token tvrtke

Krajnja točka: POST /api/company/get-token

Zahtjev:

curl -X POST https://chatapi.smsbat.com/api/company/get-token \
  -H "Content-Type: application/json" \
  -d '{
    "login": "your-company-login",
    "password": "your-company-password"
  }'

Tijelo zahtjeva:

{
  "login": "string",
  "password": "string"
}

Odgovor:

"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

Odgovor je niz JWT tokena.

Koristite token tvrtke

Uključite token tvrtke u API zahtjeve pomoću jedne od dvije metode:

Metoda 1: Zaglavlje autorizacije (preporučeno)

curl -X GET https://chatapi.smsbat.com/api/company/organization \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Metoda 2: Zaglavlje X-Authorization-Key

curl -X GET https://chatapi.smsbat.com/api/company/organization \
  -H "X-Authorization-Key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Token operatera

Operatorski tokeni pružaju korisnički specifičan pristup za pojedinačne operatere unutar organizacije.

Nabavite operatorski token

Krajnja točka: POST /api/operator/get-token

Zahtjev:

curl -X POST https://chatapi.smsbat.com/api/operator/get-token \
  -H "Authorization: Bearer {company-token}" \
  -H "Content-Type: application/json" \
  -d '{
    "id": 123,
    "expiresAt": "2025-12-31T23:59:59Z"
  }'

Tijelo zahtjeva:

{
  "id": 0,
  "expiresAt": "2025-01-20T14:33:34.147Z"
}

Parametri:

Parametar	Upišite	Obavezno	Opis
`id`	cijeli broj	Da	ID operatera
`ističe u`	niz (ISO 8601)	Da	Datum i vrijeme isteka tokena (najviše 24 sata od sada)

Važno: Maksimalno trajanje tokena je 24 sata. Parametar expiresAt ne može biti više od 24 sata u budućnosti.

Odgovor:

"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVyYXRvcl9pZCI6MTIzLCJleHAiOjE3Mzc0MTI3OTl9.example_signature"

Koristite token operatera

Uključite operatorski token u API zahtjeve:

curl -X GET https://chatapi.smsbat.com/api/operator \
  -H "Authorization: Bearer {operator-token}"

Validacija tokena

Provjerite je li token još uvijek valjan prije nego što ga upotrijebite.

Krajnja točka: POST /api/operator/validate-token

Zahtjev:

curl -X POST https://chatapi.smsbat.com/api/operator/validate-token \
  -H "Authorization: Bearer {company-token}" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }'

Tijelo zahtjeva:

{
  "token": "string"
}

Odgovor (valjani token):

{
  "isValid": true,
  "operatorId": 123,
  "clientId": 0,
  "expiresAt": "2025-12-31T23:59:59Z",
  "error": null
}

Odgovor (nevažeći token):

{
  "isValid": false,
  "error": "Invalid token"
}

Istek tokena

Tokeni tvrtke

Nema eksplicitnog isteka u API-ju
Kontaktirajte svog upravitelja računa za pravila životnog ciklusa tokena
Povremeno rotirajte tokene radi sigurnosti

Tokeni operatera

Istek postavljen kada se traži token (parametar expiresAt)
Provjerite valjanost tokena prije upotrebe
Zatražite nove tokene prije isteka

Primjeri implementacije

Python

import requests
from datetime import datetime, timedelta

class ChatHubAuth:
    def __init__(self, base_url):
        self.base_url = base_url
        self.company_token = None
        self.operator_tokens = {}

    def get_company_token(self, login, password):
        """Get company authentication token"""
        response = requests.post(
            f"{self.base_url}/api/company/get-token",
            json={"login": login, "password": password}
        )
        response.raise_for_status()
        self.company_token = response.json()
        return self.company_token

    def get_operator_token(self, operator_id, expires_days=30):
        """Get operator token with expiration"""
        expires_at = (
            datetime.utcnow() + timedelta(days=expires_days)
        ).isoformat() + "Z"

        response = requests.post(
            f"{self.base_url}/api/operator/get-token",
            headers={"Authorization": f"Bearer {self.company_token}"},
            json={"id": operator_id, "expiresAt": expires_at}
        )
        response.raise_for_status()

        token = response.json()
        self.operator_tokens[operator_id] = token
        return token

    def validate_token(self, token):
        """Validate if token is still valid"""
        response = requests.post(
            f"{self.base_url}/api/operator/validate-token",
            headers={"Authorization": f"Bearer {self.company_token}"},
            json={"token": token}
        )
        response.raise_for_status()
        return response.json()

# Usage
auth = ChatHubAuth("https://chatapi.smsbat.com")

# Get company token
company_token = auth.get_company_token("login", "password")

# Get operator token
operator_token = auth.get_operator_token(operator_id=123, expires_days=30)

# Validate token
is_valid = auth.validate_token(operator_token)
print(f"Token valid: {is_valid['valid']}")

JavaScript (Node.js)

const axios = require('axios');

class ChatHubAuth {
  constructor(baseUrl) {
    this.baseUrl = baseUrl;
    this.companyToken = null;
    this.operatorTokens = {};
  }

  async getCompanyToken(login, password) {
    const response = await axios.post(
      `${this.baseUrl}/api/company/get-token`,
      { login, password }
    );

    this.companyToken = response.data;
    return this.companyToken;
  }

  async getOperatorToken(operatorId, expiresDays = 30) {
    const expiresAt = new Date(
      Date.now() + expiresDays * 24 * 60 * 60 * 1000
    ).toISOString();

    const response = await axios.post(
      `${this.baseUrl}/api/operator/get-token`,
      { id: operatorId, expiresAt },
      {
        headers: {
          Authorization: `Bearer ${this.companyToken}`
        }
      }
    );

    const token = response.data;
    this.operatorTokens[operatorId] = token;
    return token;
  }

  async validateToken(token) {
    const response = await axios.post(
      `${this.baseUrl}/api/operator/validate-token`,
      { token },
      {
        headers: {
          Authorization: `Bearer ${this.companyToken}`
        }
      }
    );

    return response.data;
  }
}

// Usage
const auth = new ChatHubAuth('https://chatapi.smsbat.com');

async function authenticate() {
  // Get company token
  const companyToken = await auth.getCompanyToken('login', 'password');

  // Get operator token
  const operatorToken = await auth.getOperatorToken(123, 30);

  // Validate token
  const validation = await auth.validateToken(operatorToken);
  console.log('Token valid:', validation.isValid);
}

authenticate();

PHP

<?php

class ChatHubAuth {
    private $baseUrl;
    private $companyToken;
    private $operatorTokens = [];

    public function __construct($baseUrl) {
        $this->baseUrl = $baseUrl;
    }

    public function getCompanyToken($login, $password) {
        $ch = curl_init($this->baseUrl . '/api/company/get-token');

        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            'Content-Type: application/json'
        ]);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
            'login' => $login,
            'password' => $password
        ]));

        $response = curl_exec($ch);
        curl_close($ch);

        $this->companyToken = json_decode($response);
        return $this->companyToken;
    }

    public function getOperatorToken($operatorId, $expiresDays = 30) {
        $expiresAt = date(
            'Y-m-d\TH:i:s\Z',
            time() + ($expiresDays * 24 * 60 * 60)
        );

        $ch = curl_init($this->baseUrl . '/api/operator/get-token');

        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            'Content-Type: application/json',
            'Authorization: Bearer ' . $this->companyToken
        ]);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
            'id' => $operatorId,
            'expiresAt' => $expiresAt
        ]));

        $response = curl_exec($ch);
        curl_close($ch);

        $token = json_decode($response);
        $this->operatorTokens[$operatorId] = $token;
        return $token;
    }

    public function validateToken($token) {
        $ch = curl_init($this->baseUrl . '/api/operator/validate-token');

        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            'Content-Type: application/json',
            'Authorization: Bearer ' . $this->companyToken
        ]);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
            'token' => $token
        ]));

        $response = curl_exec($ch);
        curl_close($ch);

        return json_decode($response, true);
    }
}

// Usage
$auth = new ChatHubAuth('https://chatapi.smsbat.com');

// Get company token
$companyToken = $auth->getCompanyToken('login', 'password');

// Get operator token
$operatorToken = $auth->getOperatorToken(123, 30);

// Validate token
$validation = $auth->validateToken($operatorToken);
echo "Token valid: " . ($validation['isValid'] ? 'Yes' : 'No');

Najbolji primjeri iz prakse

Pohrana tokena

✅ Pohranite tokene na siguran način (kriptirana baza podataka, upravitelj tajni)
✅ Nikada nemojte predavati tokene kontroli verzija
✅ Koristite varijable okruženja za vjerodajnice
❌ Ne pohranjujte tokene u običnom tekstu
❌ Nemojte izlagati tokene u kodu na strani klijenta

Rotacija tokena

Povremeno rotirajte tokene tvrtke (svakih 3-6 mjeseci)
Postavite razuman rok trajanja za tokene operatera (7-30 dana)
Implementirajte automatsko osvježavanje tokena prije isteka
Opozovite tokene kada operateri odu

Rješavanje grešaka

async function authenticateWithRetry(login, password, retries = 3) {
  for (let i = 0; i < retries; i++) {
    try {
      return await getCompanyToken(login, password);
    } catch (error) {
      if (error.response?.status === 401) {
        throw new Error('Invalid credentials');
      }

      if (i === retries - 1) throw error;

      // Wait before retry
      await new Promise(resolve =>
        setTimeout(resolve, Math.pow(2, i) * 1000)
      );
    }
  }
}

Validacija tokena

Uvijek provjerite tokene prije kritičnih operacija:

async function performSecureOperation(token, operation) {
  // Validate token first
  const validation = await validateToken(token);

  if (!validation.isValid) {
    throw new Error('Token expired or invalid');
  }

  // Proceed with operation
  return await operation();
}

Sigurnosna razmatranja

Samo HTTPS

Uvijek koristite HTTPS kada šaljete zahtjeve za autentifikaciju:

// ✅ Correct
const baseUrl = 'https://chatapi.smsbat.com';

// ❌ Wrong - never use HTTP for authentication
const baseUrl = 'http://api.chathub.smsbat.com';

Opseg tokena

Koristite odgovarajući token za svaku operaciju:

Token tvrtke: Upravljanje organizacijom, stvaranje operatera
Operator Token: operacije chata, rukovanje porukama

Ograničenje brzine

Implementacija ograničenja brzine za zahtjeve za autentifikaciju:

class RateLimitedAuth {
  constructor() {
    this.lastRequest = 0;
    this.minInterval = 1000; // 1 second between requests
  }

  async getToken(login, password) {
    const now = Date.now();
    const timeSinceLastRequest = now - this.lastRequest;

    if (timeSinceLastRequest < this.minInterval) {
      await new Promise(resolve =>
        setTimeout(resolve, this.minInterval - timeSinceLastRequest)
      );
    }

    this.lastRequest = Date.now();
    return await makeAuthRequest(login, password);
  }
}

Rješavanje problema

401 Neovlašteno

Provjerite jesu li vjerodajnice točne
Čekovni token nije istekao
Provjerite je li token uključen u zaglavlja zahtjeva
Potvrdite format tokena

403 Zabranjeno

Provjerite ima li token potrebna dopuštenja
Provjerite koristite li ispravnu vrstu tokena (tvrtka nasuprot operateru)
Provjerite nije li token opozvan

Token je istekao

Zatražite novi token
Implementirajte automatsko osvježavanje tokena
Postavite odgovarajuća vremena isteka

Sljedeći koraci

Organizacije - Upravljanje organizacijama
Operatori - Rad s operaterima
Integracija widgeta - Integrirajte widget za chat