authify-api 0.0.5 → 0.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +41 -10
- data/authify-api.gemspec +1 -2
- data/lib/authify/api/helpers/jwt_encryption.rb +1 -1
- data/lib/authify/api/models/trusted_delegate.rb +1 -1
- data/lib/authify/api/version.rb +1 -1
- metadata +16 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d0212938c798f261b1090fb3f324e1e092bd6d42
|
4
|
+
data.tar.gz: 71144d630505d1f7d358868d358d5f408b1c1239
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 25f7cd520b354df503b74aecac21523b8333df8103970e1ba6ae18d8a2b2b9b8dae79d17c2d28408bac22b34fd2a86707cb21302d2431748b597593dacfb6410
|
7
|
+
data.tar.gz: 28dddd5daba389f4d4b813fa1f8c83def144136552c307eac8d9ea9e2e92ccb9552da358a3ddbfe74a0c4461f04c53e21eb94133b28658f9ffba14eac16f4efb
|
data/README.md
CHANGED
@@ -1,8 +1,40 @@
|
|
1
1
|
# Authify::API
|
2
2
|
|
3
|
-
|
3
|
+
## Introduction
|
4
4
|
|
5
|
-
|
5
|
+
Authify is a web service built from the ground up to simplify authentication and provide it securely to a collection of related web sites.
|
6
|
+
|
7
|
+
Authify borrows heavily from [OAuth](https://en.wikipedia.org/wiki/OAuth) concepts, though keeps things a bit simpler, combining the `authorize` and `token` steps and relying on asymmetric, cryptographic signatures rather than additional fields for verification.
|
8
|
+
|
9
|
+
## The Details
|
10
|
+
|
11
|
+
The Authify API service consists of a database for storing:
|
12
|
+
|
13
|
+
* Users
|
14
|
+
* User API Keys
|
15
|
+
* User Identities (such as logins from other services)
|
16
|
+
* Organizations (and membership)
|
17
|
+
* Groups (and membership)
|
18
|
+
* Trusted authify delegates (other services with unlimited capabilities, including impersonating users)
|
19
|
+
|
20
|
+
Nearly all API endpoints available via Authify implement the [{json:api}](http://jsonapi.org/) 1.0 specification. The exceptions are:
|
21
|
+
|
22
|
+
* `GET /jwt/key` - Returns Content Type: `application/x-pem-file`. This endpoint returns the PEM-encoded public key ([ES512](https://tools.ietf.org/html/rfc7518#section-3.4) (ECDSA)) which should be used to verify the signature made by the Authify service.
|
23
|
+
* `POST /jwt/token` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to obtain a [JWT token](https://en.wikipedia.org/wiki/JSON_Web_Token) for authentication when interacting with restricted endpoints (both on this service and for other integrated services). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored on local disk (like an API command-line client), that the `access_key` and `secret_key` be used since those can easily be revoked if necessary. Upon successful authentication, the endpoint provides an JSON Object with the key `jwt` and a signed -- but not encrypted -- JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes.
|
24
|
+
|
25
|
+
All other endpoints adhere to the {json:api} specification and can be found at the following base paths:
|
26
|
+
|
27
|
+
* `/api-keys` - User API keys. Index is restricted. Should only really be useful for users manipulating their own keys.
|
28
|
+
* `/groups` - Groups. Index is restricted. Most interactions with groups should be scoped via organizations.
|
29
|
+
* `/identities` - Alternate User Identities. These are other services that the user can login via (web UI only).
|
30
|
+
* `/organizations` - Organizations. These are high-level groupings of users and groups. Non-administrators should only be able to see limited amounts of information about organizations.
|
31
|
+
* `/users` - Users controller.
|
32
|
+
|
33
|
+
In addition to expiring JWTs provided via `/jwt/token` for normal user interactions, Trusted Delegates can perform any action by providing the `X-Authify-Access`, `X-Authify-Secret`, and the `X-Authify-On-Behalf-Of` headers. The `Access` and `Secret` headers are used to authenticate the remote application, and the `On-Behalf-Of` is used to impersonate the user (usually determined through a process on the remote end to establish the user's identity). Note that while these sound similar to User API keys, these Trusted Delegate credentials are longer and can not be interchanged. These values do not expire and are not easily created or removed. For this reason, they should be used **very** sparingly. They can only be created, listed, or removed via a set of `rake` commands run server-side. These are:
|
34
|
+
|
35
|
+
* `rake delegate:add[<name>]` - where `<name>` is the unique name of the trusted delegate. For example, `rake delegate:add[foo]` adds a remote delegate named `foo`. This command will output a key / value set providing the access\_key and secret\_key. The secret\_key is stored as a one-way hash in the DB, so it can never be retrieved again.
|
36
|
+
* `rake delegate:list` - lists the names of all trusted delegates along with their access keys.
|
37
|
+
* `rake delegate:remove[<name>]` - where `<name>` is the unique name of the trusted delegate to remove.
|
6
38
|
|
7
39
|
## Installation
|
8
40
|
|
@@ -20,22 +52,21 @@ Or install it yourself as:
|
|
20
52
|
|
21
53
|
$ gem install authify-api
|
22
54
|
|
23
|
-
##
|
55
|
+
## Configuration
|
24
56
|
|
25
|
-
|
57
|
+
The Authify API services supports the following configuration settings, managed via environment variables of the same name:
|
26
58
|
|
27
|
-
|
59
|
+
* `AUTHIFY_DB_URL` - The URL used by [ActiveRecord](http://guides.rubyonrails.org/configuring.html#configuring-a-database) to connect to the database. Currently supports `mysql2://` or `sqlite3://` URLs, though any driver supported by ActiveRecord should work if the required gems are installed. Defaults to `mysql2://root@localhost:3306/authifydb`.
|
60
|
+
* `AUTHIFY_PUBKEY_PATH` - The path on the filesystem to the PEM-encoded, public ECDSA key.
|
61
|
+
* `AUTHIFY_PRIVKEY_PATH` - The path on the filesystem to the PEM-encoded, private ECDSA key. Currently, Authify only supports a [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) key using a `secp521r1` curve and the [SHA-512](https://en.wikipedia.org/wiki/SHA-2) hashing algorithm.
|
62
|
+
* `AUTHIFY_JWT_ISSUER` - The name of the issuer ([iss field](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields)) used when creating the JWT. This **must** match on any service that verifies the JWT (meaning any service relying on Authify for authentication).
|
28
63
|
|
29
|
-
|
30
|
-
|
31
|
-
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
64
|
+
## Usage and Authentication Workflow
|
32
65
|
|
33
66
|
## Contributing
|
34
67
|
|
35
68
|
Bug reports and pull requests are welcome on GitHub at https://github.com/knuedge/authify-api.
|
36
69
|
|
37
|
-
|
38
70
|
## License
|
39
71
|
|
40
72
|
The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
|
41
|
-
|
data/authify-api.gemspec
CHANGED
@@ -28,9 +28,8 @@ Gem::Specification.new do |spec|
|
|
28
28
|
spec.add_runtime_dependency 'sinatra', '~> 1.4'
|
29
29
|
spec.add_runtime_dependency 'sinatra-activerecord', '~> 2.0'
|
30
30
|
spec.add_runtime_dependency 'moneta', '~> 0.8'
|
31
|
-
# spec.add_runtime_dependency 'omniauth', '~> 1.3'
|
32
|
-
# spec.add_runtime_dependency 'omniauth-github', '~> 1.2'
|
33
31
|
spec.add_runtime_dependency 'mysql2', '~> 0.4'
|
32
|
+
spec.add_runtime_dependency 'sqlite3', '~> 1.3'
|
34
33
|
spec.add_runtime_dependency 'jsonapi-serializers', '~> 0.16'
|
35
34
|
spec.add_runtime_dependency 'sinja', '~> 1.2'
|
36
35
|
spec.add_runtime_dependency 'puma', '~> 3.7'
|
data/lib/authify/api/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: authify-api
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jonathan Gnagy
|
@@ -108,6 +108,20 @@ dependencies:
|
|
108
108
|
- - "~>"
|
109
109
|
- !ruby/object:Gem::Version
|
110
110
|
version: '0.4'
|
111
|
+
- !ruby/object:Gem::Dependency
|
112
|
+
name: sqlite3
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
115
|
+
- - "~>"
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '1.3'
|
118
|
+
type: :runtime
|
119
|
+
prerelease: false
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - "~>"
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: '1.3'
|
111
125
|
- !ruby/object:Gem::Dependency
|
112
126
|
name: jsonapi-serializers
|
113
127
|
requirement: !ruby/object:Gem::Requirement
|
@@ -317,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
317
331
|
version: '0'
|
318
332
|
requirements: []
|
319
333
|
rubyforge_project:
|
320
|
-
rubygems_version: 2.5
|
334
|
+
rubygems_version: 2.4.5
|
321
335
|
signing_key:
|
322
336
|
specification_version: 4
|
323
337
|
summary: Authify API Server library
|