authify-api 0.0.5 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8444210be1f0a6945d07167d9424740a45ddd019
-  data.tar.gz: 2c9808f213e1fcc92ba1b986ea44f2d89bbee85f
+  metadata.gz: d0212938c798f261b1090fb3f324e1e092bd6d42
+  data.tar.gz: 71144d630505d1f7d358868d358d5f408b1c1239
 SHA512:
-  metadata.gz: fab21a5eb9af6454aaa745647fea348024d683419ea5444a6900388d13fc65b8a7b5d9d4792bfa307690950726c2bffb66fe9a225a815302e053ab13e359d4da
-  data.tar.gz: 42541d8379ac40e543b070fe225e4c5a88fd6c85232581dc9de606bb28fcc528dfbbfce65182c0d82862df449a38676557d823b818284663d014b216157301b9
+  metadata.gz: 25f7cd520b354df503b74aecac21523b8333df8103970e1ba6ae18d8a2b2b9b8dae79d17c2d28408bac22b34fd2a86707cb21302d2431748b597593dacfb6410
+  data.tar.gz: 28dddd5daba389f4d4b813fa1f8c83def144136552c307eac8d9ea9e2e92ccb9552da358a3ddbfe74a0c4461f04c53e21eb94133b28658f9ffba14eac16f4efb

data/README.md

@@ -1,8 +1,40 @@
 # Authify::API
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/authify/api`. To experiment with that code, run `bin/console` for an interactive prompt.
+## Introduction
 
-TODO: Delete this and the text above, and describe your gem
+Authify is a web service built from the ground up to simplify authentication and provide it securely to a collection of related web sites.
+
+Authify borrows heavily from [OAuth](https://en.wikipedia.org/wiki/OAuth) concepts, though keeps things a bit simpler, combining the `authorize` and `token` steps and relying on asymmetric, cryptographic signatures rather than additional fields for verification.
+
+## The Details
+
+The Authify API service consists of a database for storing:
+
+* Users
+* User API Keys
+* User Identities (such as logins from other services)
+* Organizations (and membership)
+* Groups (and membership)
+* Trusted authify delegates (other services with unlimited capabilities, including impersonating users)
+
+Nearly all API endpoints available via Authify implement the [{json:api}](http://jsonapi.org/) 1.0 specification. The exceptions are:
+
+* `GET /jwt/key` - Returns Content Type: `application/x-pem-file`. This endpoint returns the PEM-encoded public key ([ES512](https://tools.ietf.org/html/rfc7518#section-3.4) (ECDSA)) which should be used to verify the signature made by the Authify service.
+* `POST /jwt/token` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to obtain a [JWT token](https://en.wikipedia.org/wiki/JSON_Web_Token) for authentication when interacting with restricted endpoints (both on this service and for other integrated services). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored on local disk (like an API command-line client), that the `access_key` and `secret_key` be used since those can easily be revoked if necessary. Upon successful authentication, the endpoint provides an JSON Object with the key `jwt` and a signed -- but not encrypted -- JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes.
+
+All other endpoints adhere to the {json:api} specification and can be found at the following base paths:
+
+* `/api-keys` - User API keys. Index is restricted. Should only really be useful for users manipulating their own keys.
+* `/groups` - Groups. Index is restricted. Most interactions with groups should be scoped via organizations.
+* `/identities` - Alternate User Identities. These are other services that the user can login via (web UI only).
+* `/organizations` - Organizations. These are high-level groupings of users and groups. Non-administrators should only be able to see limited amounts of information about organizations.
+* `/users` - Users controller.
+
+In addition to expiring JWTs provided via `/jwt/token` for normal user interactions, Trusted Delegates can perform any action by providing the `X-Authify-Access`, `X-Authify-Secret`, and the `X-Authify-On-Behalf-Of` headers. The `Access` and `Secret` headers are used to authenticate the remote application, and the `On-Behalf-Of` is used to impersonate the user (usually determined through a process on the remote end to establish the user's identity). Note that while these sound similar to User API keys, these Trusted Delegate credentials are longer and can not be interchanged. These values do not expire and are not easily created or removed. For this reason, they should be used **very** sparingly. They can only be created, listed, or removed via a set of `rake` commands run server-side. These are:
+
+* `rake delegate:add[<name>]` - where `<name>` is the unique name of the trusted delegate. For example, `rake delegate:add[foo]` adds a remote delegate named `foo`. This command will output a key / value set providing the access\_key and secret\_key. The secret\_key is stored as a one-way hash in the DB, so it can never be retrieved again.
+* `rake delegate:list` - lists the names of all trusted delegates along with their access keys.
+* `rake delegate:remove[<name>]` - where `<name>` is the unique name of the trusted delegate to remove.
 
 ## Installation
 
@@ -20,22 +52,21 @@ Or install it yourself as:
 
     $ gem install authify-api
 
-## Usage
+## Configuration
 
-TODO: Write usage instructions here
+The Authify API services supports the following configuration settings, managed via environment variables of the same name:
 
-## Development
+* `AUTHIFY_DB_URL` - The URL used by [ActiveRecord](http://guides.rubyonrails.org/configuring.html#configuring-a-database) to connect to the database. Currently supports `mysql2://` or `sqlite3://` URLs, though any driver supported by ActiveRecord should work if the required gems are installed. Defaults to `mysql2://root@localhost:3306/authifydb`.
+* `AUTHIFY_PUBKEY_PATH` - The path on the filesystem to the PEM-encoded, public ECDSA key.
+* `AUTHIFY_PRIVKEY_PATH` - The path on the filesystem to the PEM-encoded, private ECDSA key. Currently, Authify only supports a [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) key using a `secp521r1` curve and the [SHA-512](https://en.wikipedia.org/wiki/SHA-2) hashing algorithm.
+* `AUTHIFY_JWT_ISSUER` - The name of the issuer ([iss field](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields)) used when creating the JWT. This **must** match on any service that verifies the JWT (meaning any service relying on Authify for authentication).
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
-
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+## Usage and Authentication Workflow
 
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/knuedge/authify-api.
 
-
 ## License
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
-

data/authify-api.gemspec

@@ -28,9 +28,8 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'sinatra', '~> 1.4'
   spec.add_runtime_dependency 'sinatra-activerecord', '~> 2.0'
   spec.add_runtime_dependency 'moneta', '~> 0.8'
-  # spec.add_runtime_dependency 'omniauth', '~> 1.3'
-  # spec.add_runtime_dependency 'omniauth-github', '~> 1.2'
   spec.add_runtime_dependency 'mysql2', '~> 0.4'
+  spec.add_runtime_dependency 'sqlite3', '~> 1.3'
   spec.add_runtime_dependency 'jsonapi-serializers', '~> 0.16'
   spec.add_runtime_dependency 'sinja', '~> 1.2'
   spec.add_runtime_dependency 'puma', '~> 3.7'

data/lib/authify/api/helpers/jwt_encryption.rb

@@ -6,7 +6,7 @@ module Authify
         include Core::Helpers::JWTSSL
 
         def jwt_token
-          JWT.encode jwt_payload(current_user), private_key, 'ES256'
+          JWT.encode jwt_payload(current_user), private_key, 'ES512'
         end
 
         def jwt_payload(user)

data/lib/authify/api/models/trusted_delegate.rb

@@ -25,7 +25,7 @@ module Authify
         end
 
         def self.generate_access_key
-          to_hex(SecureRandom.gen_random(32))[0...32]
+          to_hex(SecureRandom.gen_random(48))[0...48]
         end
 
         def self.from_access_key(access, secret)

data/lib/authify/api/version.rb

@@ -3,7 +3,7 @@ module Authify
     VERSION = [
       0, # Major
       0, # Minor
-      5  # Patch
+      6  # Patch
     ].join('.')
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authify-api
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - Jonathan Gnagy
@@ -108,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: jsonapi-serializers
   requirement: !ruby/object:Gem::Requirement
@@ -317,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Authify API Server library