From 2f22a1ccf399d44479000aa480810df58f66b2c5 Mon Sep 17 00:00:00 2001
From: Marcus Rohrmoser <github@mro.name>
Date: Wed, 15 Jun 2016 11:35:13 +0200
Subject: [PATCH 1/2] Update api-authentication.md

---
 api-authentication.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/api-authentication.md b/api-authentication.md
index c2a6362..d6a5ca5 100644
--- a/api-authentication.md
+++ b/api-authentication.md
@@ -1,2 +1,17 @@
 # Shaarli API Authentication
 
+## Assumptions and preconditions
+
+1. there is a webserver,
+2. there is a shaarli instance,
+3. it should be **KISS** – both on server and client side,
+4. it should be **as secure as shaarli** itself (ban after fails),
+5. there is only **one user**, so there's no finer authorisation
+
+## Approaches
+
+1. Webserver does the auth or
+2. get a token from the shaarli webinterface or
+3. do a full cycle auth with uid+pwd and e.g. HTTP Digest, OAuth2 or Kerberos.
+
+I'd propose 2., salt the token and send it in a custom HTTP Request Header, e.g. `SHAARLI_SALTED_AUTH_TOKEN`

From a025ca38652b4acbaab9d592739aa1448c61dba8 Mon Sep 17 00:00:00 2001
From: Marcus Rohrmoser <github@mro.name>
Date: Wed, 15 Jun 2016 11:54:28 +0200
Subject: [PATCH 2/2] Update api-authentication.md

---
 api-authentication.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api-authentication.md b/api-authentication.md
index d6a5ca5..7eaa6e4 100644
--- a/api-authentication.md
+++ b/api-authentication.md
@@ -14,4 +14,4 @@
 2. get a token from the shaarli webinterface or
 3. do a full cycle auth with uid+pwd and e.g. HTTP Digest, OAuth2 or Kerberos.
 
-I'd propose 2., salt the token and send it in a custom HTTP Request Header, e.g. `SHAARLI_SALTED_AUTH_TOKEN`
+I'd propose 2., salt the token and send it in a custom HTTP Request Header, e.g. `SHAARLI_SALTED_AUTH_TOKEN`. It's simple on server and client but a little ugly to set up for testing (no api call to get the token).