authify-api 0.0.5 → 0.0.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 8444210be1f0a6945d07167d9424740a45ddd019
4
- data.tar.gz: 2c9808f213e1fcc92ba1b986ea44f2d89bbee85f
3
+ metadata.gz: d0212938c798f261b1090fb3f324e1e092bd6d42
4
+ data.tar.gz: 71144d630505d1f7d358868d358d5f408b1c1239
5
5
  SHA512:
6
- metadata.gz: fab21a5eb9af6454aaa745647fea348024d683419ea5444a6900388d13fc65b8a7b5d9d4792bfa307690950726c2bffb66fe9a225a815302e053ab13e359d4da
7
- data.tar.gz: 42541d8379ac40e543b070fe225e4c5a88fd6c85232581dc9de606bb28fcc528dfbbfce65182c0d82862df449a38676557d823b818284663d014b216157301b9
6
+ metadata.gz: 25f7cd520b354df503b74aecac21523b8333df8103970e1ba6ae18d8a2b2b9b8dae79d17c2d28408bac22b34fd2a86707cb21302d2431748b597593dacfb6410
7
+ data.tar.gz: 28dddd5daba389f4d4b813fa1f8c83def144136552c307eac8d9ea9e2e92ccb9552da358a3ddbfe74a0c4461f04c53e21eb94133b28658f9ffba14eac16f4efb
data/README.md CHANGED
@@ -1,8 +1,40 @@
1
1
  # Authify::API
2
2
 
3
- Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/authify/api`. To experiment with that code, run `bin/console` for an interactive prompt.
3
+ ## Introduction
4
4
 
5
- TODO: Delete this and the text above, and describe your gem
5
+ Authify is a web service built from the ground up to simplify authentication and provide it securely to a collection of related web sites.
6
+
7
+ Authify borrows heavily from [OAuth](https://en.wikipedia.org/wiki/OAuth) concepts, though keeps things a bit simpler, combining the `authorize` and `token` steps and relying on asymmetric, cryptographic signatures rather than additional fields for verification.
8
+
9
+ ## The Details
10
+
11
+ The Authify API service consists of a database for storing:
12
+
13
+ * Users
14
+ * User API Keys
15
+ * User Identities (such as logins from other services)
16
+ * Organizations (and membership)
17
+ * Groups (and membership)
18
+ * Trusted authify delegates (other services with unlimited capabilities, including impersonating users)
19
+
20
+ Nearly all API endpoints available via Authify implement the [{json:api}](http://jsonapi.org/) 1.0 specification. The exceptions are:
21
+
22
+ * `GET /jwt/key` - Returns Content Type: `application/x-pem-file`. This endpoint returns the PEM-encoded public key ([ES512](https://tools.ietf.org/html/rfc7518#section-3.4) (ECDSA)) which should be used to verify the signature made by the Authify service.
23
+ * `POST /jwt/token` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to obtain a [JWT token](https://en.wikipedia.org/wiki/JSON_Web_Token) for authentication when interacting with restricted endpoints (both on this service and for other integrated services). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored on local disk (like an API command-line client), that the `access_key` and `secret_key` be used since those can easily be revoked if necessary. Upon successful authentication, the endpoint provides an JSON Object with the key `jwt` and a signed -- but not encrypted -- JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes.
24
+
25
+ All other endpoints adhere to the {json:api} specification and can be found at the following base paths:
26
+
27
+ * `/api-keys` - User API keys. Index is restricted. Should only really be useful for users manipulating their own keys.
28
+ * `/groups` - Groups. Index is restricted. Most interactions with groups should be scoped via organizations.
29
+ * `/identities` - Alternate User Identities. These are other services that the user can login via (web UI only).
30
+ * `/organizations` - Organizations. These are high-level groupings of users and groups. Non-administrators should only be able to see limited amounts of information about organizations.
31
+ * `/users` - Users controller.
32
+
33
+ In addition to expiring JWTs provided via `/jwt/token` for normal user interactions, Trusted Delegates can perform any action by providing the `X-Authify-Access`, `X-Authify-Secret`, and the `X-Authify-On-Behalf-Of` headers. The `Access` and `Secret` headers are used to authenticate the remote application, and the `On-Behalf-Of` is used to impersonate the user (usually determined through a process on the remote end to establish the user's identity). Note that while these sound similar to User API keys, these Trusted Delegate credentials are longer and can not be interchanged. These values do not expire and are not easily created or removed. For this reason, they should be used **very** sparingly. They can only be created, listed, or removed via a set of `rake` commands run server-side. These are:
34
+
35
+ * `rake delegate:add[<name>]` - where `<name>` is the unique name of the trusted delegate. For example, `rake delegate:add[foo]` adds a remote delegate named `foo`. This command will output a key / value set providing the access\_key and secret\_key. The secret\_key is stored as a one-way hash in the DB, so it can never be retrieved again.
36
+ * `rake delegate:list` - lists the names of all trusted delegates along with their access keys.
37
+ * `rake delegate:remove[<name>]` - where `<name>` is the unique name of the trusted delegate to remove.
6
38
 
7
39
  ## Installation
8
40
 
@@ -20,22 +52,21 @@ Or install it yourself as:
20
52
 
21
53
  $ gem install authify-api
22
54
 
23
- ## Usage
55
+ ## Configuration
24
56
 
25
- TODO: Write usage instructions here
57
+ The Authify API services supports the following configuration settings, managed via environment variables of the same name:
26
58
 
27
- ## Development
59
+ * `AUTHIFY_DB_URL` - The URL used by [ActiveRecord](http://guides.rubyonrails.org/configuring.html#configuring-a-database) to connect to the database. Currently supports `mysql2://` or `sqlite3://` URLs, though any driver supported by ActiveRecord should work if the required gems are installed. Defaults to `mysql2://root@localhost:3306/authifydb`.
60
+ * `AUTHIFY_PUBKEY_PATH` - The path on the filesystem to the PEM-encoded, public ECDSA key.
61
+ * `AUTHIFY_PRIVKEY_PATH` - The path on the filesystem to the PEM-encoded, private ECDSA key. Currently, Authify only supports a [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) key using a `secp521r1` curve and the [SHA-512](https://en.wikipedia.org/wiki/SHA-2) hashing algorithm.
62
+ * `AUTHIFY_JWT_ISSUER` - The name of the issuer ([iss field](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields)) used when creating the JWT. This **must** match on any service that verifies the JWT (meaning any service relying on Authify for authentication).
28
63
 
29
- After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
30
-
31
- To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
64
+ ## Usage and Authentication Workflow
32
65
 
33
66
  ## Contributing
34
67
 
35
68
  Bug reports and pull requests are welcome on GitHub at https://github.com/knuedge/authify-api.
36
69
 
37
-
38
70
  ## License
39
71
 
40
72
  The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
41
-
data/authify-api.gemspec CHANGED
@@ -28,9 +28,8 @@ Gem::Specification.new do |spec|
28
28
  spec.add_runtime_dependency 'sinatra', '~> 1.4'
29
29
  spec.add_runtime_dependency 'sinatra-activerecord', '~> 2.0'
30
30
  spec.add_runtime_dependency 'moneta', '~> 0.8'
31
- # spec.add_runtime_dependency 'omniauth', '~> 1.3'
32
- # spec.add_runtime_dependency 'omniauth-github', '~> 1.2'
33
31
  spec.add_runtime_dependency 'mysql2', '~> 0.4'
32
+ spec.add_runtime_dependency 'sqlite3', '~> 1.3'
34
33
  spec.add_runtime_dependency 'jsonapi-serializers', '~> 0.16'
35
34
  spec.add_runtime_dependency 'sinja', '~> 1.2'
36
35
  spec.add_runtime_dependency 'puma', '~> 3.7'
@@ -6,7 +6,7 @@ module Authify
6
6
  include Core::Helpers::JWTSSL
7
7
 
8
8
  def jwt_token
9
- JWT.encode jwt_payload(current_user), private_key, 'ES256'
9
+ JWT.encode jwt_payload(current_user), private_key, 'ES512'
10
10
  end
11
11
 
12
12
  def jwt_payload(user)
@@ -25,7 +25,7 @@ module Authify
25
25
  end
26
26
 
27
27
  def self.generate_access_key
28
- to_hex(SecureRandom.gen_random(32))[0...32]
28
+ to_hex(SecureRandom.gen_random(48))[0...48]
29
29
  end
30
30
 
31
31
  def self.from_access_key(access, secret)
@@ -3,7 +3,7 @@ module Authify
3
3
  VERSION = [
4
4
  0, # Major
5
5
  0, # Minor
6
- 5 # Patch
6
+ 6 # Patch
7
7
  ].join('.')
8
8
  end
9
9
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: authify-api
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.5
4
+ version: 0.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jonathan Gnagy
@@ -108,6 +108,20 @@ dependencies:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
110
  version: '0.4'
111
+ - !ruby/object:Gem::Dependency
112
+ name: sqlite3
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - "~>"
116
+ - !ruby/object:Gem::Version
117
+ version: '1.3'
118
+ type: :runtime
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - "~>"
123
+ - !ruby/object:Gem::Version
124
+ version: '1.3'
111
125
  - !ruby/object:Gem::Dependency
112
126
  name: jsonapi-serializers
113
127
  requirement: !ruby/object:Gem::Requirement
@@ -317,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
317
331
  version: '0'
318
332
  requirements: []
319
333
  rubyforge_project:
320
- rubygems_version: 2.5.1
334
+ rubygems_version: 2.4.5
321
335
  signing_key:
322
336
  specification_version: 4
323
337
  summary: Authify API Server library