facecontrol

package module
v0.0.0-...-412dc9f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 15, 2017 License: MIT Imports: 5 Imported by: 0

README

Build Status Go Report Card

Facecontrol

Simple authentication, single sign-on and (optional) authorization solution.

Basic example

package main

import (
    "time"
    "errors"
    "net/http"

    "github.com/gobricks/facecontrol"
)

type MyUser struct {
    Login string    `json:"login"`
    FullName string `json:"fullname"`
    IsAdmin bool    `json:"is_admin"`
    CanEdit []string `json:"can_edit"`
}

func main() {
    fc, _ := facecontrol.New(facecontrol.Config{
        RunAt: ":8080",
        JwtSecret: "OpenSesame",
        JwtTTL: 24 * time.Hour,
        Validator: findUser,
    })
    
    fc.Run()
}

func findUser(r *http.Request) (facecontrol.Payload, error) {
    login := r.URL.Query().Get("login")
    password := r.URL.Query().Get("password")

    if login != "admin" && password != "12345" {
        return nil, errors.New("Invalid credentials")
    }

    return MyUser{
        Login: "admin",
        FullName: "Johnny Mnemonic",
        IsAdmin: true,
        CanEdit: []string{"posts", "comments"},
    }, nil
}

Configuration

Use facecontrol.Config struct to customize Facecontrol behavior. Available fields are:

RunAt     string // defines address of running facecontrol instance. Example: "127.0.0.1:6000". Required
EnableSSL bool   // forces facecontrol to run in HTTPS mode
SSLCert   string // path to corresponding SSL file. Required if EnableSSL is true
SSLKey    string // path to corresponding SSL file. Required if EnableSSL is true
JwtSecret string // will be used to sign auth tokens. Required
JwtTTL    time.Duration // token expiration time
Validator CredentialsValidator // user define credentials validation function

Validator function

A function with signature of func(*http.Request) (facecontrol.Payload, error) can be passed to facecontrol.Config. If so every incoming HTTP request for token issuing will be passed to this function. You can use this function to find user in your database or any other credential storage. If given function return non-nil error user will be declined from acquiring token.

Token issuing and validation

After calling facecontrol.Run() a web server will startup, allowing you to call two URLs:

  • GET /issue - for token issuing
  • GET /validate - for validating previously issued token

Token validation example:

curl -X POST -F "login=admin" -F "password=d41d8cd98f00b204e9800998ecf8427e" "http://127.0.0.1:6000/issue"

Returns:

eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NjU5MTI3NjksInVpZCI6ImdvYnJpY2tzIn0.ITqJ1uMdNZXb9XfqbNVF-qy7hVTnPr5ZUk3SHf77y6MDb6_nBCxXN01Fo5M3jxP9o5DnCYV3Ic4OnIybb9qs1

Token validation example:

curl -X GET -H "Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0ODYzMjAwODYsImlzcyI6ImZhY2Vjb250cm9sIn0.dZB-v4fx2x155YarTze17sQsq1HRpz0rYdIxF3hUG469-0l3N1RzE9ES1MFz8kPSWLaKUvXBAqXXDEEmNEb-DA" "http://127.0.0.1:6000/validate"

Returns:

{
  "iat": 1486320086,
  "iss": "facecontrol",
  "data": {
      "login": "admin",
      "is_admin": true
  }
}

How it fits into your infastructure

How it works

How to achieve single sign-on

Just make session cookie available to any service hosted on your domain (e.g. *.mysite.com).

How to achieve authorization

You can pass user priveleges into token payload using Validator function. All your services will get this priveleges back after user authentication. See basic example.

Upon receiving user data from facecontrol your service can check if user can perform certain action based on available priveleges.

Important security notices

  • It is highly recomended to use HTTPS for any facecontrol communications.
  • You must never save into or pass to facecontrol user password in plain text. Use hashed version of password instead.
  • Do not share JWT secret with any other services. It is ment to be unknown for everyone except facecontrol service.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Claims 

type Claims struct {
	Payload `json:"data,omitempty"`
	jwt.StandardClaims
}

Claims is a custom JWT claims

type Config 

type Config struct {
	// Webserver run address
	RunAt string
	// EnableSSL forces facecontrol to run in HTTPS mode
	EnableSSL bool
	// SSLCert and SSLKey are a paths to corresponding SSL files
	SSLCert string
	SSLKey  string
	// JwtSecret will be used to sign auth tokens
	JwtSecret string
	// JwtTTL will be used to set token expiration
	JwtTTL time.Duration
	// Validator is a credentials validating function.
	Validator CredentialsValidator
}

Config defines essential Faceontrol variables and parts.

type CredentialsValidator 

type CredentialsValidator func(*http.Request) (Payload, error)

CredentialsValidator is an function that defines incoming credentials validation and payload construction logic. It accepts raw HTTP Request and returns payload data if credentials are valid. If given credentials are invalid it must return non-nil error.

type Facecontrol 

type Facecontrol struct {
	// contains filtered or unexported fields
}

Facecontrol is an SSO service.

func New 

func New(conf Config) (*Facecontrol, error)

New returns new instance of Facecontrol. Secret is a sign string for JWT token.

func (Facecontrol) Run 

func (f Facecontrol) Run() error

Run starts Facecontrol instance.

type Payload 

type Payload interface{}

Payload is a custom data to be append to issued token.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.