On HDA level we can have several users and can control permissions (read/write) for each one (which shares are accessible to whom). But currently, we do not have HDA user level authentication in the app. Anyone logged in with the amahi.org credentials can view/access all the shares and files in the HDA.

So need to implement Non Admin User (NAU) login and authentication in the app. This is to be done in two parts:

1. Simple pin authentication for each user (admin as well as non-admin) for each HDA.

• This will include adding an extra step in the current browsing flow
• On selecting an HDA from the list, the user will be taken to the next screen asking a 4-6 digit PIN from the user
• On submitting, this entered PIN has to sent to the FS (either over remote or local mode) via POST on \auth
• If the PIN is correct, the FS will return an auth_token which needs to be stored for further use
• Every further call to the FS will require the auth_token to be sent in Authorization header and if not provided the request will fail with 403 Forbidden status code
• If the PIN is incorrect, FS will respond with 401 Unauthorized status code, and appropriate error has to be shown to the user
• Any successive attempt to open the same HDA should not ask for a PIN again and should use the same auth_token stored earlier
• The user must be provided with a Logout from HDA option which will delete the stored auth_token after a successful POST to \logout and then if the user tries to open the HDA again the PIN login screen will be shown

2. Direct PIN-based login for a local non-admin user, without providing amahi.org credentials.

• Not tracking it here, listed it in another issue Direct PIN based login for local NAU #222

Ref. https://github.com/amahi/amahi-anywhere-specs#hda-user-authentication