This post was originally published on the website of Pavouk OÜ (Estonia). On 2020-06-12, I announced that Pavouk OÜ was closing. The posts I wrote have been moved here.
We’re pleased to announce the release of Tigrosa 1.2—our authentication and authorisation system. This version introduces a new password-based login system, completely overhauled API documentation, and numerous performance, stability, and security improvements. Tigrosa is like a guard-spider, protecting a backend JSON API, moving concepts such as users and organisations into a dedicated program, and proxying product-specific traffic. Isoxya—our web crawler and data processing system—is built on top of it.
Tigrosa is not currently generally available. However, we’re already using it extensively for Isoxya. Usually, the latest version of Tigrosa is upgraded to in each minor-version release of Isoxya. That means this release announcement lets you know some of what we’ve been working on for the next Isoxya release. If you’re working on a product you think you might like to integrate in order to offload common authentication operations, then please get in touch.
New Password-based Login System
Up until now, Tigrosa has had only a key-based login system, which uses RSA keys to sign time-limited requests when logging in and generating new session tokens. Some user-testing made it clear that this was a rather high barrier to entry, however, so we’ve added a more traditional password-based login system. This also paves the way for us to support human-facing UIs or web applications, for which usernames and passwords are more traditionally expected.
Overhauled API Documentation
Several prospective clients have received copies of our API documentation in PDF format. Although this makes things like offline reading easier, searching and distribution of up-to-date copies would likely become problematic. We’ve completely overhauled the API documentation to host it on a dedicated website, to which we can grant access as needed. In time, we hope to also overhaul Isoxya’s documentation in the same manner.
We’ve expanded the API to add a number of useful features, such as: configurable session lengths; user account locking; organisation account locking; and expanded subresources. Together, these allow for tighter security, as well as minimising the number of API calls necessary to fetch related data.
Although Tigrosa was already fast, we wanted it to be even faster. We’ve reviewed all our database and cache operations, optimising queries and minimising duplicated work, meaning most operations can now take place entirely in-memory. All this has been done with consideration for high-availability setups, minimising bottlenecks for programs with large numbers of accounts.