When someone tries to authenticate itself with an user identifier / “user name” and a password, the following process is executed:
- If meta key owner of the configuration zettel does not have a valid zettel identifier as value, authentication fails.
- Retrieve all zettel, where the meta key user-id has the same value as the given user identification. If the list is empty, authentication fails.
- From above list, the zettel with the numerically smallest identifier is selected. Or in other words: the oldest zettel is selected1.
- If the zettel does not have role user, authentication fails.
- If the zettel does not have a value for the meta key credential, authentication fails.
- The value of the meta key credential is compared with the given password. If they do not match, authentication fails.
The authentication is successful, because the Zettelstore has an owner, the identifier matches a user zettel, and the password conforms to the stored credential.
- This is done to prevent an attacker from creating a new note with the same user identification ↩︎