Skip to content

jllopis/gouncer

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

154 Commits

main

main

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

authenticator.go

authenticator.go

 
 

authorizer.go

authorizer.go

 
 

cancel.go

cancel.go

 
 

confirm.go

confirm.go

 
 

couch.go

couch.go

 
 

credentials.go

credentials.go

 
 

mail.go

mail.go

 
 

onetime.go

onetime.go

 
 

register.go

register.go

 
 

reset.go

reset.go

 
 

response.go

response.go

 
 

server.go

server.go

 
 

sicas.go

sicas.go

 
 

Repository files navigation

Gouncer

A high speed auth server written in go

Installation

  go get github.com/npolar/gouncer

Dependencies

  go get github.com/bradfitz/gomemcache/memcache
  go get github.com/rs/cors
  go get github.com/codegangsta/cli

Compilation

  • Staticlly linked
  go install && CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldflags '-s' main/gouncer.go

NOTE!:change the GOOS= variable to match your platform

  • Dynamically linked
  go install && go build main/gouncer.go

Run

Cli configuration

  ./gouncer -h # for flag info
  ./gouncer --db http://localhost:5984 -c my-ssl/certificate.crt -k my-ssl/keyfile.key -m my.cache.com:11211

Config file

Gouncer supports configuration through a TOML v0.4.0 file.

  ./gouncer --config myconf.toml

Example Config

  # Gouncer Configuration Example

  # Essential server configuration
  [core]
  hostname = ""      # Server name eg. example.com
  port     = ":8950" # Server port written as string prependend with ':'
  jsonp    = true    # Enable JSONP support
  log      = "/var/log/gouncer/error.log"

  [ssl]
  certificate = "my-certs/certificate.crt" # SSL Certificate
  key         = "my-keys/keyfile.key"      # SSL key

  [backend]
  couchdb  = "https://localhost:5984" # Address to a couchdb instance
  userdb   = "users"                  # Name of the user database
  groupdb  = "groups"                 # Name of the groups database
  memcache = ["localhost:11211"]      # List of memcache instances
  smtp     = "my-smtp.com:25"         # Address to the SMTP server you want to use to send notifications

  [token]
  algorithm  = "HS512" # Supported JWT algorithms [none, HS256, HS384, HS512]
  expiration = 10800  # Token expiration time in seconds

  [registrations]

    # Default group settings for mail addresses containing the @example.com domain

    [registrations.example]
    domain = "example.com"
    groups = ["exampleGroup"]

    # Default group settings for all email domains not defined

    [registrations.default]
    domain = "default"
    groups = ["globalGroup"]

  [mail_config]
  sender               = "noreply@example.com"                                             # Email address to use when sending notifications
  link_timeout         = 1200                                                              # Time a confirmation link will stay active
  confirmation_subject = "Account confirmation"                                            # Confirmation mail subject
  confirmation_message = "Thanks dude! Click for awesomeness: {{link}}/{{code}}"           # Confirmation mail message. Use the {{link}} pattern to inject the link into the message
  cancel_subject       = "Cancellation confirmation"                                       # Cancellation mail subject
  cancel_message       = "Bummer dude! Click to cancel the awesomeness: {{link}}/{{code}}" # Cancellation mail message. Use the {{link}} pattern to inject the link into the message
  whitelist_domains    = ["https://example.com/*"]                                         # List of domains that are valid for registration handling

Usage

Authentication

  • Basic
  curl -k -XGET https://username:password@localhost:8950/authenticate
  # OR
  curl -k -XGET https://localhost:8950/authenticate -H "Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ="

Gouncer will then respond with a json object

  {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"
  }
  • Revalidation
  curl -k -XGET https://localhost:8950/authenticate -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"

Gouncer will then respond with a new token

  {
    "token": "eyJhbG...",
  }

Authorization

To check if we have access to https://example.com/info we send our token in the authorization header and pass the system we want to get authorization for as body

  curl -XPOST https://localhost:8950/authorize -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RM" -d '{"system": "https://example.com/info"}'

Gouncer will respond with a list of access rights.

  {
    "rights":[
      "create",
      "read",
      "update",
      "delete"
    ]
  }

If your user does not have access to the system you will get a HTTP 403 Forbidden error.

Account Registration

To create a new account you can send a request to the /register path. NOTE: an smtp address must be set for this feature to work.

  curl -k -XPOST https://localhost:8950/register -d '{"email":"my-mail@example.com", "name":"myname", "password":"some-secret", "link":"https://my-accept-link/confirm"}'

If successfull you will get a mail at the email address you tried to register. Use the code inside to complete account creation. If an account for the mail address already exist you will get an error. To complete the registration run the following command. Replace the code part of the uri with the value received in the email.

  curl -k -XGET https://localhost:8950/confirm/<code>

Account Cancellation

To cancel your account you can send a request to the /unregister path with valid credentials (basic || token)

  curl -k -XDELETE https://localhost:8950/unregister

If you sent the request with valid credentials you'll receive an email on the accounts email address with a code to complete the cancellation process. To complete cancallation run the following command. Replace the code part of the uri with the value received in the email.

  curl -k -XGET https://localhost:8950/cancel/<code>

One time Login (Email)

In order to provide users with the ability to reset forgotten passwords they can obtain a one time password through the email address they used to register themselves.

  curl -k -XPOST https://localhost:8950/onetime -d '{"email": "user@email.com"}'

After sending the request the user will receive an email (Only if the user exists in the system!) with a onetime code. This code can be used as a password for a basic auth login session.

  curl -K -XGET https://user%40email.com:<code>@localhost:8950/authenticate

Gouncer will respond with

  {"token": "asAd34fds..."}

Update Password & Display Name

Users with a valid token or basic auth can reset their password and display name.

  curl -k -XPOST https://localhost:8950/reset -H 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' -d '{"password":"updatedPw", "name":"MyNewName"}'
  curl -k -XPOST https://localhost:8950/reset -H 'Authorization: Bearer asAd34fds...' -d '{"password":"updatedPw", "name":"MyNewName"}'

!NOTE If you only want to update the password you can leave the name key out of the object or leave the value blank. eg {"password": ""} || {"password": "", "name":""}

Example Notice

Note that the curl commands in the provided examples ignore self signed SSL certificates. To check certificate validity remove the -k flag from the commands.

Notice

Gouncer is still under development. API and formats change as we go! Use in poduction systems is not recommended.

About

JWT auth server

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • Go 100.0%