This document describes the token authentication flow between different components of the system: Frontend, Backend, and OvenMediaEngine.
+--------+ +-----------+ +---------+ +----------------+
| User | | Frontend | | Backend | | OvenMediaEngine|
+--------+ +-----------+ +---------+ +----------------+
| | | |
| Login/Password | | |
|-------------->| | |
| | | |
| | POST /auth | |
| |--------------->| |
| | | |
| | |--+ Validate |
| | | | Password |
| | |<-+ |
| | | |
| | JWT Token | |
| |<---------------| |
| | | |
| |--+ Store JWT | |
| | | in localStorage |
| |<-+ | |
| | | |
| User accesses OvenMediaEngine features |
| | | |
| | Bearer JWT | |
| |--------------->| |
| | | |
| | |--+ Validate |
| | | | JWT Token |
| | |<-+ |
| | | |
| | | Basic Auth Token |
| | |------------------->|
| | | |
| | | |--+ Validate
| | | | | Basic Auth
| | | |<-+
| | | |
| | | Response |
| | |<-------------------|
| | | |
| | Response | |
| |<---------------| |
| | | |
| Display | | |
|<--------------| | |
| | | |
+--------+ +-----------+ +---------+ +----------------+
- Uses JWT (JSON Web Token) for authentication
- Token stored in localStorage as 'adminToken'
- Token included in all API requests as Bearer token
- Automatic redirect to login on 401 responses
-
Frontend to Backend:
- Accepts JWT token in Authorization header
- Format:
Bearer <jwt_token>| JWT contains:{ userId: 'admin' }| Expiration: 24 hours
-
Backend to OvenMediaEngine:
- Backend passes API requests to OvenMediaEngine with Basic Auth
- Token from environment variable:
OME_API_ACCESS_TOKEN - Encoded as Base64 in the Authorization header
- Configured to accept Basic Auth with a token
- No sensitive tokens exposed to frontend
- All API calls proxied through backend
# Backend Environment Variables
JWT_SECRET=your-super-secret-jwt-key-change-this-in-production
OME_API_URL=http://origin:8081
OME_API_ACCESS_TOKEN=0fc62ea62790ad7c
# Frontend Environment Variables
VITE_API_URL=https://live.colourstream.johnrogerscolour.co.uk/api- All frontend-backend communication is over HTTPS
- JWT tokens expire after 24 hours
- Backend-OvenMediaEngine communication is internal (docker network)
- Sensitive tokens stored in environment variables
- Frontend never directly accesses OvenMediaEngine API
-
Invalid JWT Token:
- Backend returns 401
- Frontend redirects to login page
- Clears stored tokens
-
Invalid OvenMediaEngine Token:
- OvenMediaEngine returns 401
- Backend forwards error
- Frontend displays error message
-
Missing Token:
- Both APIs return 401
- Appropriate error messages shown to user