Authentication
Learn how to securely authenticate with Varvis API instances using various methods.
Authentication Overview
Varvis Download CLI supports multiple authentication methods to suit different use cases:
- Environment Variables (Recommended)
- Interactive Password Prompts
- Configuration Files
- Command Line Arguments (Least secure)
Environment Variables (Recommended)
Primary Method
Set credentials as environment variables for maximum security:
export VARVIS_USER="your_username"
export VARVIS_PASSWORD="your_password"Then run commands without credential arguments:
./varvis-download.js -t mytarget -a 12345Alternative Variable Names
The tool also recognizes these alternative environment variable names:
# Alternative naming convention
export VARVIS_API_USER="your_username"
export VARVIS_API_PASSWORD="your_password"
# Legacy support
export VARVIS_USERNAME="your_username"
export VARVIS_API_KEY="your_password"Session Management
For long-running sessions, set credentials once:
#!/bin/bash
# setup_session.sh
export VARVIS_USER="your_username"
export VARVIS_PASSWORD="your_password"
export VARVIS_TARGET="mytarget"
echo "Varvis session configured for user: $VARVIS_USER"
echo "Target: $VARVIS_TARGET"Source the script:
source setup_session.sh
./varvis-download.js -a 12345,67890Interactive Password Prompts
Secure Input
When no password is provided, the tool prompts securely with hidden input:
./varvis-download.js -t mytarget -u your_username -a 12345
# Output: Please enter your Varvis password: [hidden input]Benefits
- Security: Password not visible in terminal history
- Flexibility: No need to store credentials
- Audit: Clear record of when authentication occurred
Automation Considerations
Interactive prompts are not suitable for:
- CI/CD pipelines
- Automated scripts
- Background processes
Use environment variables or configuration files for automation.
Configuration Files
Basic Authentication
Create .config.json with credentials:
{
"username": "your_username",
"password": "your_password",
"target": "mytarget"
}Secure Configuration
Recommended approach: Store only username in config, use environment for password:
{
"username": "your_username",
"target": "mytarget",
"destination": "./downloads"
}export VARVIS_PASSWORD="your_password"
./varvis-download.js --config .config.json -a 12345Multiple Environments
Create environment-specific configuration files:
development.config.json:
{
"username": "dev_user",
"target": "mytarget-dev",
"destination": "./dev-downloads",
"loglevel": "debug"
}production.config.json:
{
"username": "prod_user",
"target": "mytarget",
"destination": "/data/genomics",
"loglevel": "warn"
}Usage:
# Development
export VARVIS_PASSWORD="dev_password"
./varvis-download.js --config development.config.json -a 12345
# Production
export VARVIS_PASSWORD="prod_password"
./varvis-download.js --config production.config.json -a 12345Command Line Arguments
Direct Credentials
Provide credentials directly via command line:
./varvis-download.js -t mytarget -u "your_username" -p "your_password" -a 12345Security Risk
Command line arguments are visible in process lists and shell history. Use only for testing or single-use scenarios.
Secure Command Line
Use environment variables even with CLI:
./varvis-download.js -t mytarget -u "$VARVIS_USER" -p "$VARVIS_PASSWORD" -a 12345Authentication Flow
Login Process
The tool follows this authentication sequence:
Credential Collection
- Check command line arguments
- Check environment variables
- Read configuration file
- Prompt interactively if needed
CSRF Token Retrieval
- Fetch CSRF token from API
- Handle token refresh if needed
Authentication Request
- Submit credentials with CSRF token
- Receive session token
Session Management
- Store session token for requests
- Handle token expiration
- Automatic re-authentication if needed
Token Management
Session tokens are:
- Stored in memory only
- Not persisted to disk
- Automatically refreshed
- Invalidated on exit
Multi-Instance Authentication
Different Targets
Authenticate with multiple Varvis instances:
# Primary target
export VARVIS_T1_USER="t1_username"
export VARVIS_T1_PASSWORD="t1_password"
# Secondary target
export VARVIS_T2_USER="t2_username"
export VARVIS_T2_PASSWORD="t2_password"
# Use with different targets
./varvis-download.js -t mytarget -u "$VARVIS_T1_USER" -p "$VARVIS_T1_PASSWORD" -a 12345
./varvis-download.js -t othertarget -u "$VARVIS_T2_USER" -p "$VARVIS_T2_PASSWORD" -a 67890Configuration per Target
Create target-specific configurations:
mytarget.config.json:
{
"username": "lb_user",
"target": "mytarget",
"destination": "./mytarget-data"
}othertarget.config.json:
{
"username": "other_user",
"target": "othertarget",
"destination": "./othertarget-data"
}Security Best Practices
Credential Protection
Use Environment Variables
bash# Secure export VARVIS_PASSWORD="secret" # Avoid ./varvis-download.js -p "secret" # Visible in process listFile Permissions
bash# Restrict config file access chmod 600 .config.json # Verify permissions ls -la .config.json # Expected: -rw------- (owner read/write only)Environment File Security
bash# Protect .env files chmod 600 .env echo ".env" >> .gitignore
Credential Rotation
Regular credential updates:
#!/bin/bash
# rotate_credentials.sh
echo "Updating Varvis credentials..."
read -s -p "Enter new password: " NEW_PASSWORD
echo
# Update environment
export VARVIS_PASSWORD="$NEW_PASSWORD"
# Test authentication
./varvis-download.js -t mytarget --list -a 12345
if [ $? -eq 0 ]; then
echo "✓ Credential rotation successful"
# Update stored configurations if needed
else
echo "✗ Credential rotation failed"
exit 1
fiAccess Control
Principle of Least Privilege
- Use accounts with minimal necessary permissions
- Regular audit of account access
- Separate accounts for different environments
Session Management
- Sessions automatically expire
- No persistent authentication storage
- Clean session termination
Audit Logging
bash# Enable authentication logging ./varvis-download.js -t mytarget -a 12345 --loglevel info --logfile auth.log # Review authentication events grep "Login\|Auth" auth.log
Troubleshooting Authentication
Common Issues
Invalid Credentials:
Error: Authentication failed - invalid username or passwordSolutions:
- Verify username spelling
- Check password accuracy
- Confirm account status
- Test with interactive prompt
Network/Proxy Issues:
Error: Connection timeout during authenticationSolutions:
- Check network connectivity
- Verify proxy configuration
- Test DNS resolution
- Check firewall settings
Token Expiration:
Error: Session token expiredSolutions:
- Tool automatically handles re-authentication
- Check system clock accuracy
- Verify account hasn't been disabled
Debug Authentication
Enable detailed authentication logging:
./varvis-download.js -t mytarget -a 12345 --loglevel debug 2>&1 | grep -i authExample debug output:
[DEBUG] AuthService: Fetching CSRF token from https://mytarget.varvis.com
[DEBUG] AuthService: CSRF token received: csrf_abc123
[DEBUG] AuthService: Submitting login request for user: your_username
[DEBUG] AuthService: Login successful, session token received
[DEBUG] AuthService: Authentication completeTest Authentication
Verify credentials without downloading:
# Quick authentication test
./varvis-download.js -t mytarget -a 12345 --list | head -5Expected output:
Analysis ID: 12345
Available files:
- sample_001.bam (1.2 GB)
- sample_001.bam.bai (4.5 MB)Enterprise Integration
LDAP/Active Directory
For enterprise authentication:
Service Accounts
- Create dedicated service accounts
- Use strong, rotated passwords
- Document account purposes
Integration Scripts
bash#!/bin/bash # enterprise_auth.sh # Retrieve credentials from enterprise vault VARVIS_USER=$(vault kv get -field=username secret/varvis) VARVIS_PASSWORD=$(vault kv get -field=password secret/varvis) export VARVIS_USER VARVIS_PASSWORD # Execute download ./varvis-download.js "$@"
CI/CD Integration
GitHub Actions:
- name: Download Genomic Data
env:
VARVIS_USER: ${{ secrets.VARVIS_USER }}
VARVIS_PASSWORD: ${{ secrets.VARVIS_PASSWORD }}
run: |
./varvis-download.js -t mytarget -a ${{ matrix.analysis_id }}Jenkins:
withCredentials([usernamePassword(
credentialsId: 'varvis-credentials',
usernameVariable: 'VARVIS_USER',
passwordVariable: 'VARVIS_PASSWORD')]) {
sh './varvis-download.js -t mytarget -a ${ANALYSIS_ID}'
}Next Steps
- File Downloads - Configure download behavior
- Configuration - Set up environment-specific configs
- Proxy Configuration - Enterprise network setup