Skip to content

Authentication API

The Stratpoint Timesheet Application provides authentication APIs using JWT tokens with app-to-app security through parameter obfuscation and source validation. The API is designed for specific integration partners and uses security through obscurity.

Authentication Overview

Authentication Methods

  • Local Authentication: Email and password-based authentication with obfuscated parameters
  • App-to-App Authentication: Secure communication using encrypted tokens and source validation
  • JWT Token-based Authentication: Bearer tokens for API access
  • SSO Preparation: SSO infrastructure exists but is not actively used

Base URL

All authentication endpoints are available under: 

https://timesheet.stratpoint.com/api/v2/

Authentication Endpoints

Login

Authenticate a user and receive an access token using obfuscated parameters.

POST /authenticate

Request Body: 

{
  "etona": "dXNlckBzdHJhdHBvaW50LmNvbQ==",
  "subok": "cGFzc3dvcmQ=",
  "galingsa": "timesheetweb",
  "bulong": "encrypted_app_token"
}

Parameter Details: - etona: Base64-encoded email address (obfuscated "email") - subok: Base64-encoded password (obfuscated "password") - galingsa: App source identifier (required for security validation) - bulong: Encrypted app token for app-to-app authentication

Successful Response: 

{
  "header": {
    "status": 200,
    "title": "Login",
    "description": "Login Successful"
  },
  "body": {
    "user": {
      "id": 123,
      "firstname": "John",
      "lastname": "Doe",
      "email": "user@stratpoint.com",
      "permission_ids": "1,2,3,57,72",
      "isActive": 1,
      "role_id": 2
    },
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "needPassUpdate": false
  }
}

Error Responses:

User Not Found: 

{
  "header": {
    "status": 412,
    "title": "Login",
    "description": "User not found"
  },
  "body": []
}

Invalid Credentials: 

{
  "header": {
    "status": 412,
    "title": "Login",
    "description": "Invalid credentials"
  },
  "body": []
}

User Not Active: 

{
  "header": {
    "status": 412,
    "title": "Login",
    "description": "User account is not active"
  },
  "body": []
}

Weak Password (Forces Update): 

{
  "header": {
    "status": 200,
    "title": "Change Password",
    "description": "Please make your password stronger"
  },
  "body": {
    "needPassUpdate": true,
    "user": {...},
    "token": "..."
  }
}

Token Refresh

Refresh an existing JWT token before expiration.

GET /authRefresh

Headers: 

Authorization: Bearer {access_token}
galingsa: timesheetweb

Response: 

{
  "header": {
    "status": 200,
    "title": "Token Refresh",
    "description": "Token refreshed successfully"
  },
  "body": {
    "newAuth": {
      "user": {
        "id": 123,
        "firstname": "John",
        "lastname": "Doe",
        "email": "user@stratpoint.com",
        "permission_ids": "1,2,3,57,72"
      },
      "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
    }
  }
}

Password Reset Request

Request a password reset email.

POST /passwordReset/request

Request Body: 

{
  "email": "user@stratpoint.com"
}

Response: 

{
  "header": {
    "status": 200,
    "title": "Password Reset",
    "description": "We have e-mailed your password reset link!"
  },
  "body": {}
}

Password Reset

Reset password using reset token.

POST /passwordReset/save

Request Body: 

{
  "token": "reset_token_from_email",
  "email": "user@stratpoint.com",
  "password": "new_strong_password",
  "password_confirmation": "new_strong_password"
}

Response: 

{
  "header": {
    "status": 200,
    "title": "Password Reset",
    "description": "Your password has been reset!"
  },
  "body": {}
}

Force Password Change

Force password change for authenticated users.

POST /passwordReset/forceChange

Headers: 

Authorization: Bearer {access_token}
galingsa: timesheetweb

Request Body: 

{
  "current_password": "current_password",
  "password": "new_strong_password",
  "password_confirmation": "new_strong_password"
}

Authentication Flow

Login Flow with Security Validation

sequenceDiagram
    participant C as Client
    participant A as API
    participant AS as AuthService
    participant D as Database

    C->>A: POST /authenticate with obfuscated params
    A->>A: Base64 decode etona/subok
    A->>AS: Validate app source (galingsa/bulong)
    AS->>A: Return custom JWT payload
    A->>D: Attempt authentication
    D->>A: User data (if valid)
    A->>A: Generate JWT with custom claims
    A->>C: Return token + user data

Token Usage Flow

sequenceDiagram
    participant C as Client
    participant M as Middleware (MyGetUserFromToken)
    participant A as API Controller
    participant D as Database

    C->>M: API Request + Bearer Token + galingsa
    M->>M: Validate JWT
    M->>M: Check Auth-Method header
    M->>D: Get user data
    D->>M: User information
    M->>A: Request with authUser
    A->>C: API Response

App-to-App Authentication

App Source Validation

All requests require app source validation through headers:

Required Headers: 

galingsa: {app_source_name}
bulong: {encrypted_app_token}

App Sources: - timesheetweb: Main web application - k2mentor: K2 Mentor integration - f1: F1 resource management integration - sinop: SINOP integration - csat: CSAT integration - wookie: Wookie integration

Security Implementation

Parameter Obfuscation: - Email parameter is named etona (obfuscated "email") - Password parameter is named subok (obfuscated "password") - App source is galingsa (Filipino for "from where") - App token is bulong (Filipino for "whisper/secret")

Token Structure: JWT tokens contain custom claims: 

{
  "sub": "user_id",
  "iat": "issued_at_timestamp",
  "exp": "expiration_timestamp",
  "pinasukan": "app_source",
  "orasPumasok": "login_timestamp"
}

Error Handling

Common HTTP Status Codes

Status Code Description Common Causes
200 Success Successful authentication
401 Unauthorized Invalid or expired token
412 Precondition Failed User not found, inactive, or invalid credentials
422 Unprocessable Entity Validation errors
429 Too Many Requests Rate limit exceeded (5 attempts in 15 minutes)

Error Response Format

All error responses follow this structure: 

{
  "header": {
    "status": 412,
    "title": "Error Title",
    "description": "Error description"
  },
  "body": {
    "errors": "Error details or validation messages"
  }
}

Rate Limiting and Security

Login Throttling

  • Maximum attempts: 5 failed attempts
  • Lockout duration: 15 minutes
  • Scope: Per email address

Password Security

  • Weak passwords trigger forced password update
  • Password reset tokens have limited lifespan
  • All password operations require proper validation

App Source Security

  • Every request must include valid galingsa and bulong headers
  • App tokens are encrypted and validated server-side
  • Invalid app sources result in 401 Unauthorized

SSO Integration (Prepared but Inactive)

SSO Configuration Endpoint

GET /sso_config

Note: SSO infrastructure exists but is not currently active in the production environment.

Response: 

{
  "header": {
    "status": 200,
    "title": "SSO Configuration",
    "description": "SSO configuration retrieved"
  },
  "body": {
    "authMethod": "local",
    "ssoEnabled": false
  }
}

Key Implementation Notes

  1. Security Through Obscurity: Parameter names are intentionally obfuscated
  2. App-Specific Design: API is designed for specific integration partners
  3. Base64 Encoding: Credentials must be base64-encoded in requests
  4. Custom Response Format: All responses use header/body structure
  5. Permission String Format: Permissions stored as comma-separated string
  6. Business Logic Integration: Authentication includes business rules (password strength, user status)

This authentication system prioritizes security for a business-specific application environment over generic REST API standards.