@@ -30,6 +30,16 @@ What authorization to be done on the server is specified by the `@protect_route(
This decorator specifies who is allowed to access this route, which can either be users with specific roles, or people who have joined competitions with specific views.
If the route is not decorated everyone is allowed to access it, the only routes currently like that is logging in as a user and joining a competition, by necessity.
#### JSON Web Tokens (JWT)
We use JSON Web Tokens (JWT) for authentication, both for API and socket events.
A JWT is created on the server when a user logs in or connects to competition.
We store some information in the JWT, which can be seen in the file `server/app/apis/auth.py`.
The JWT is also encrycpted using the secret key defined in `server/configmodule.py`.
(OBS: Change this key before running the server in production).
The client can read the contents of the JWT but cannot modify them because it doesn't have access to the secret key.
This is why the server can simply read the contents of the JWT to be sure that the client is who it says it is.
### Parsing request
After the request is authorized the server will need to parse contents of the request.