JSON-RPC Authentication

docs/JSON-RPC-API/Authentication.md

@@ -0,0 +1,96 @@
+# Authentication and Authorization 
+
+Authentication identifies a user based on a username and password. Authorization verifies whether the user has
+access to the JSON-RPC method they are requesting.  
+
+Pantheon uses the username and password to authenticate users and [JWT tokens](https://jwt.io/introduction/) to authorize JSON-RPC API requests. 
+
+!!! important 
+    Authenticated requests must be made over HTTPS. HTTPS is encrypted which prevents eavesdropping on the connection
+    to obtain the JWT token from the requests.
+
+## Credentials File 
+
+The credentials file is a `toml` file defining user details and the JSON-RPC methods to which they have access. 
+
+!!! example "Example Credentials File"
+    ```toml
+    [Users.username1]
+    password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+    permissions=["net:*","eth:blockNumber"]
+
+    [Users.username2]
+    password = "$2b$10$6sHt1J0MVUGIoNKvJiK33uaZzUwNmMmJlaVLkIwinkPiS1UBnAnF2"
+    permissions=["net:version","admin:*"]
+    ```
+
+Each user requiring JSON-RPC access is listed with: 
+
+* Username. `Users.` is mandatory and followed by the username. That is, replace `<username>` in `[Users.<username>]` with the username being defined. 
+* Hash of the user password. Use the [`password hash`](../Reference/Pantheon-CLI-Syntax.md#password) subcommand to generate the hash. 
+* JSON-RPC permissions. 
+
+!!! example "password hash Subcommand"
+    ```bash
+    pantheon password hash --password=pegasys
+    ```
+
+## JSON-RPC Permissions 
+
+Each user has a list of permissions strings defining the methods they can access. To give access to: 
+
+* All API methods, specify `["*:*"]`.
+* All API methods in an API group, specify `["<api_group>:*"]`. For example, `["eth:*"]`. 
+* Specific API methods, specify `["<api_group>:<method_name>"]`. For example, `["admin:peers"]`.
+
+If authentication is enabled, to explicitly specify a user cannot access any methods, include the user with an empty permissions list (`[]`). 
+Users with an empty permissions list and users not included in the credentials file cannot access any JSON-RPC
+methods. 
+
+## Enabling Authentication 
+
+Use the [` --rpc-http-authentication-enabled`](../Reference/Pantheon-CLI-Syntax.md#rpc-http-authentication-enabled) or 
+ [`--rpc-ws-authentication-enabled`](../Reference/Pantheon-CLI-Syntax.md#rpc-ws-authentication-enabled)
+ options to require authentication for the JSON-RPC API.
+
+Use the [`--rpc-http-authentication-credentials-file`](../Reference/Pantheon-CLI-Syntax.md#rpc-http-authentication-credentials-file)
+and [`--rpc-ws-authentication-credentials-file`](../Reference/Pantheon-CLI-Syntax.md#rpc-ws-authentication-credentials-file) 
+options to specify the [credentials file](#credentials-file).  
+
+## Obtaining an Authentication Token 
+
+To obtain an authentication token, make a request to the `/login` endpoint with your username and password. 
+
+!!! example
+    ```bash tab="curl HTTPS request"
+    $ curl -X POST --data '{"username":"username1","password":"pegasys"}' <JSON-RPC-https-endpoint:port>/login
+    ```
+
+    ```json tab="JSON result"
+    {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJwZXJtaXNzaW9ucyI6WyIqOioiXSwidXNlcm5hbWUiOiJ1c2VyMiIsImlhdCI6MTU1MDQ2MDYwNCwiZXhwIjoxNTUwNDYwOTA0fQ.l2Ycqzl_AyvReXBeUSayOlOMS_E8-DCuz3q0Db0DKD7mqyl6q-giWoEtfdWzUEvZbRRi2_ecKO3N6JkXq7zMKQAJbVAEzobfbaaXWcQEpHOjtnK4_Yz-UPyKiXtu7HGdcdl5Tfx3dKoksbqkBl3U3vFWxzmFnuu3dAISfVJYUNA"}
+    ``` 
+
+Authentication tokens expire 5 minutes after being generated. It is necessary to generate a new authentication 
+token if access is required after token expiration.     
+
+## Using an Authentication Token to Make Requests 
+
+Specify the authentication token as a `Bearer` token in the JSON-RPC request header. 
+
+### Postman
+
+In the _Authorization_ tab in the _TYPE_ drop-down list, select *Bearer Token* and specify the token 
+generated by the [`login` request](#obtaining-an-authentication-token). 
+
+### Curl
+
+Specify the `Bearer` in the header. 
+
+!!! example
+    ```bash tab="curl Request with Authentication Placeholders"
+    curl -X POST -H 'Authorization: Bearer <JWT_TOKEN>' -d '{"jsonrpc":"2.0","method":"<API_METHOD>","params":[],"id":1}' <JSON-RPC-https-endpoint:port>
+    ```
+
+    ```bash tab="curl Request with Authentication"
+    curl -X POST -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJwZXJtaXNzaW9ucyI6WyIqOioiXSwidXNlcm5hbWUiOiJ1c2VyMiIsImlhdCI6MTU1MDQ2MTQxNiwiZXhwIjoxNTUwNDYxNzE2fQ.WQ1mqpqzRLHaoL8gOSEZPvnRs_qf6j__7A3Sg8vf9RKvWdNTww_vRJF1gjcVy-FFh96AchVnQyXVx0aNUz9O0txt8VN3jqABVWbGMfSk2T_CFdSw5aDjuriCsves9BQpP70Vhj-tseaudg-XU5hCokX0tChbAqd9fB2138zYm5M' -d '{"jsonrpc":"2.0","method":"net_listening","params":[],"id":1}' https://localhost:8545
+    ```

docs/JSON-RPC-API/JSON-RPC-API.md

@@ -0,0 +1,19 @@
+description: Pantheon JSON-RPC API reference
+<!--- END of page meta data -->
+
+# JSON-RPC API Overview
+
+The Pantheon JSON-RPC API uses the [JSON-RPC v2.0](https://www.jsonrpc.org/specification) specification of the JSON-RPC protocol. 
+
+The [JSON](http://json.org/) (RFC 4627) format which represents 
+objects and data fields as collections of name/value pairs, in a readable, hierarchical form. 
+Values have specific data types such as quantities (decimal integers, hexadecimal numbers, strings) and 
+unformatted data (byte arrays, account addresses, hashes, and bytecode arrays).
+
+RPC is the remote procedure call protocol (RFC 1831). The protocol is stateless and transport agnostic in that the concepts 
+can be used within the same process, over sockets, over HTTP, or in various message passing environments.
+
+* [Using the Pantheon JSON-RPC API](Using-JSON-RPC-API.md)
+* [Authentication](Authentication.md)
+* [JSON-RPC API Methods](../Reference/JSON-RPC-API-Methods.md)
+* [JSON-RPC API Objects](../Reference/JSON-RPC-API-Objects.md)

docs/Reference/Using-JSON-RPC-API.md → docs/JSON-RPC-API/Using-JSON-RPC-API.md

@@ -3,31 +3,13 @@ description: How to use Pantheon JSON-RPC API
 
 # Using the JSON-RPC API
 
-!!!attention "Breaking Change in v0.8.3"
-
-    From v0.8.3, to prevent an issue known as DNS rebinding incoming HTTP requests are only accepted from hostnames specified using the [`--host-whitelist`](Pantheon-CLI-Syntax.md#host-whitelist) option.
-    The default value for [`--host-whitelist`](Pantheon-CLI-Syntax.md#host-whitelist) is `localhost`. 
-
-    If using the URL `http://127.0.0.1` to make JSON-RPC calls, use [`--host-whitelist`](Pantheon-CLI-Syntax.md#host-whitelist) to specify the hostname `127.0.0.1` or update the hostname in the JSON-RPC call to `localhost`. 
-
-    If your application publishes RPC ports, specify the hostnames when starting Pantheon. For example:  
-    ```bash
-    pantheon --host-whitelist=example.com
-    ```
-
-    Specify `*` or `all` for [`--host-whitelist`](Pantheon-CLI-Syntax.md#host-whitelist) to effectively disable host protection and replicate pre-v0.8.3 behavior.
-
-    **This is not recommended for production code.**
-
-## Using the Pantheon JSON-RPC API
-
-### Postman
+## Postman
 
 Use the button to import our collection of examples to [Postman](https://www.getpostman.com/). 
 
 [![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/cffe1bc034b3ab139fa7)
 
-### Endpoint Host and Port
+## Endpoint Host and Port
 
 The placeholder
 `<JSON-RPC-http-endpoint:port>` and `<JSON-RPC-ws-endpoint:port>` represents an endpoint (IP address and port) 
@@ -51,19 +33,23 @@ options to specify the port on which the JSON-RPC listens. The default ports are
 * 8545 for HTTP
 * 8546 for WebSockets
 
-### HTTP and WebSocket Requests
+## JSON-RPC Authentication 
 
-#### HTTP
+[Authentication](Authentication.md) is disabled by default. 
 
-To make RPC over HTTP requests, you can use the `curl` tool, available in many systems using [curl source code or pre-compiled packages](https://curl.haxx.se/download.html).
+## HTTP and WebSocket Requests
+
+### HTTP
+
+To make RPC requests over HTTP, you can use [`curl`](https://curl.haxx.se/download.html).
 
 ```bash
 $ curl -X POST --data '{"jsonrpc":"2.0","method":"web3_clientVersion","params":[],"id":53}' <JSON-RPC-http-endpoint:port>
 ```
 
-#### WebSockets
+### WebSockets
 
-To make requests over WebSockets, this reference uses [wscat](https://github.com/websockets/wscat), a Node.js based command-line tool.
+To make RPC requests over WebSockets, you can use [wscat](https://github.com/websockets/wscat), a Node.js based command-line tool.
 
 First connect to the WebSockets server using `wscat` (you only need to connect once per session):
 
@@ -78,36 +64,46 @@ Send individual requests as a JSON data package at each prompt:
 > {"jsonrpc":"2.0","method":"web3_clientVersion","params":[],"id":53}
 ```
 
+<<<<<<< HEAD:docs/JSON-RPC-API/Using-JSON-RPC-API.md
+The [RPC Pub/Sub methods](../Using-Pantheon/RPC-PubSub.md) can also be used over WebSockets.
+
+!!! note 
+    `wscat` does not support headers. [Authentication](Authentication.md) requires an authentication token to be passed in the 
+    request header. To use authentication with WebSockets, an app that supports headers is required. 
+
+## API Methods Enabled by Default
+=======
 ### API Methods Enabled by Default
+>>>>>>> 149c0c24631231f8a96f5740534d309774e99ff5:docs/Reference/Using-JSON-RPC-API.md
 
 The `ETH`, `NET`, and `WEB3` API methods are enabled by default. 
 
-Use the [`--rpc-http-api`](Pantheon-CLI-Syntax.md#rpc-http-api) or [`--rpc-ws-api`](Pantheon-CLI-Syntax.md#rpc-ws-api) 
+Use the [`--rpc-http-api`](../Reference/Pantheon-CLI-Syntax.md#rpc-http-api) or [`--rpc-ws-api`](../Reference/Pantheon-CLI-Syntax.md#rpc-ws-api) 
 options to enable the `ADMIN` ,`CLIQUE`,`DEBUG`, `IBFT` and `MINER` API methods.
 
 !!! note
     IBFT 2.0 is under development and will be available in v1.0. 
 
-### Block Parameter
+## Block Parameter
 
 When you make requests that might have different results depending on the block accessed, 
 the block parameter specifies the block. 
-Several methods, such as [eth_getTransactionByBlockNumberAndIndex](JSON-RPC-API-Methods.md#eth_gettransactionbyblocknumberandindex), have a block parameter.
+Several methods, such as [eth_getTransactionByBlockNumberAndIndex](../Reference/JSON-RPC-API-Methods.md#eth_gettransactionbyblocknumberandindex), have a block parameter.
 
 The block parameter can have the following values:
 
 * `blockNumber` : `quantity` - Block number. Can be specified in hexadecimal or decimal. 0 represents the genesis block.
 * `earliest` : `tag` - Earliest (genesis) block. 
 * `latest` : `tag` - Last block mined.
-* `pending` : `tag` - Last block mined plus pending transactions. Use only with [eth_getTransactionCount](JSON-RPC-API-Methods.md#eth_gettransactioncount).  
+* `pending` : `tag` - Last block mined plus pending transactions. Use only with [eth_getTransactionCount](../Reference/JSON-RPC-API-Methods.md#eth_gettransactioncount).  
 
 ## Not Supported by Pantheon
 
 ### Account Management 
 
 Account management relies on private key management in the client which is not implemented by Pantheon. 
 
-Use [`eth_sendRawTransaction`](JSON-RPC-API-Methods.md#eth_sendrawtransaction) to send signed transactions; `eth_sendTransaction` is not implemented. 
+Use [`eth_sendRawTransaction`](../Reference/JSON-RPC-API-Methods.md#eth_sendrawtransaction) to send signed transactions; `eth_sendTransaction` is not implemented. 
 
 Use third-party wallets for [account management](../Using-Pantheon/Account-Management.md). 
 

docs/Reference/JSON-RPC-API-Methods.md

@@ -3,11 +3,6 @@ description: Pantheon JSON-RPC API methods reference
 
 # JSON-RPC API Methods
 
-!!! danger "Breaking Change in v0.8.3"
-    From v0.8.3, incoming HTTP requests are only accepted from hostnames specified using the [`--host-whitelist`](Using-JSON-RPC-API.md) option. 
-
-The following lists the Pantheon JSON-RPC API commands:
-
 ## Admin Methods
 
 !!! note
@@ -482,7 +477,7 @@ None
 Returns a list of account addresses that the client owns.
 
 !!!note
-    This method returns an empty object because Pantheon [does not support account management](Using-JSON-RPC-API.md#account-management).
+    This method returns an empty object because Pantheon [does not support account management](../JSON-RPC-API/Using-JSON-RPC-API.md#account-management).
 
 **Parameters**
 
@@ -547,7 +542,7 @@ Returns the account balance of the specified address.
 
 `DATA` - 20-byte account address from which to retrieve the balance.
 
-`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 **Returns**
 
@@ -580,7 +575,7 @@ Returns the value of a storage position at a specified address.
 
 `QUANTITY` - Integer index of the storage position.
 
-`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 **Returns**
 
@@ -613,7 +608,7 @@ Returns the number of transactions sent from a specified address.
 
 `DATA` - 20-byte account address.
 
-`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 **Returns**
 
@@ -671,7 +666,7 @@ Returns the number of transactions in a block matching the specified block numbe
 
 **Parameters**
 
-`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 **Returns**
 
@@ -729,7 +724,7 @@ Returns the number of uncles in a block matching the specified block number.
 
 **Parameters**
 
-`QUANTITY|TAG` - Integer representing either the 0-based index of the block within the blockchain, or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+`QUANTITY|TAG` - Integer representing either the 0-based index of the block within the blockchain, or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 **Returns**
 
@@ -760,7 +755,7 @@ Returns the code of the smart contract at the specified address. Compiled smart
 
 `DATA` - 20-byte contract address.
 
-`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 **Returns**
 
@@ -792,7 +787,7 @@ You can interact with contracts using [eth_sendRawTransaction or eth_call](../Us
 To avoid exposing your private key, create signed transactions offline and send the signed transaction data using `eth_sendRawTransaction`. 
 
 !!!important
-    Pantheon does not implement [eth_sendTransaction](Using-JSON-RPC-API.md#account-management).
+    Pantheon does not implement [eth_sendTransaction](../JSON-RPC-API/Using-JSON-RPC-API.md#account-management).
 
 **Parameters**
 
@@ -834,7 +829,7 @@ You can interact with contracts using [eth_sendRawTransaction or eth_call](../Us
 
 *OBJECT* - [Transaction call object](JSON-RPC-API-Objects.md#transaction-call-object).
 
-*QUANTITY|TAG* - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+*QUANTITY|TAG* - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 **Returns**
 
@@ -986,7 +981,7 @@ Returns information about a block by block number.
 
 **Parameters**
 
-`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 `Boolean` - If `true`, returns the full [transaction objects](JSON-RPC-API-Objects.md#transaction-object); if `false`, returns only the hashes of the transactions.
 
@@ -1127,7 +1122,7 @@ Returns transaction information for the specified block number and transaction i
 
 **Parameters**
 
-`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter).
+`QUANTITY|TAG` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter).
 
 `QUANTITY` - The transaction index position.
 
@@ -1609,7 +1604,7 @@ Lists signers for the specified block.
 
 **Parameters** 
 
-`quantity|tag` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter). 
+`quantity|tag` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter). 
 
 **Returns**
 
@@ -2132,7 +2127,7 @@ Lists the validators defined in the specified block.
 
 **Parameters** 
 
-`quantity|tag` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](Using-JSON-RPC-API.md#block-parameter). 
+`quantity|tag` - Integer representing a block number or one of the string tags `latest`, `earliest`, or `pending`, as described in [Block Parameter](../JSON-RPC-API/Using-JSON-RPC-API.md#block-parameter). 
 
 **Returns**