How to obtain the user_id to perform JWT login?

API & Customization issues
1

Hi everyone,

I’m trying to implement a simple client for the Passbolt API (v5.0.0). I see that the JWT login endpoint (auth/jwt/login.json) requires a user_id.

I understand that this can be retrieved manually from the Users & Groups page or via the /users/me.json endpoint, but both seem to require authentication. How can I obtain the user_id before logging in to authenticate myself?

Thanks in advance!

2

As far as I know that is not possible.
I do not think it would be wise if the user_id’s could be enumerated.

3

Fair enough. I agree that the user IDs should be kept private. At the same time, a user should be authenticated with a username, passphrase, and private key on the system. Nevertheless, the JWT method is indicated as “the preferred way.” So, maybe I’m missing a step or not understanding something?

4

I understand what you are saying, and it would make sense to login with the same credentials-sets as the plugins do. As a user I do not know the reasoning behind this choice.

It might be worth to supply a feature-request? Or maybe wait for someone from Passbolt to elaborate.

1 Like
5

Hello,

Just to pitch in the reason for not listing the user UUID is indeed to prevent enumeration.

Another way to go about account management that would be easier for your purpose, would be to download the account kit (e.g. what is needed for the desktop app, under /app/settings/desktop).

It is a base64 encoded file that contains all the information for the user including OpenPGP key and user_id, the server public key to use to verify the message, etc. It’s signed with the user key as well. This way you don’t have to manage the “user account” properties yourself. When decoded it looks like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

{"domain":"<DOMAIN>","user_id":<USERID>", etc.}
-----BEGIN PGP SIGNATURE-----

wrsEARYKAG0FgmjSc0gJkBCzWLCC1S1hRRQAAAAAABwAIHNhbHRAbm90YXRp
b25zLm9wZW5wZ3Bqcy5vcmdUbp+OiVT3cl9peMVxpwQE+GBvLOrdoaFobeE7
=wGDs
-----END PGP SIGNATURE-----
1 Like
6

Thank you, indeed the Account kit contains everything . I tried the desktop app login and indeed is good UX: a file and the passphrase are all that is needed to authenticate a user. I think I’ll go with this flow.

I’d suggest mentioning this in the documentation, as I understand it’s the best practice.