README
¶
🦇 Gothic
Gothic is a user registration and authentication microservice written in Go. It's based on OAuth2 and JWT and will handle user signup, authentication and custom user data.
Project History
This project was originally forked from https://github.com/gothic/gothic.
The purpose was to adopt newer, more developer friendly technologies like Gorm, gRPC, and gRPC Web; newer versions of critical libraries like JWT v4; and migrate away from older libraries that are deprecated with security flaws.
These changes allow for advances like self-contained database migration, expanded database driver support (e.g., PostgreSQL), and gRPC support. Broadly speaking, they are intended to make it easier to modify and use the microservice outside of Netlify tool chain, and in a more active development environment.
While the Netlify team did a good job with the original effort, their use in production means they cannot easily adopt these kinds of significant changes. In many cases, they will likely never make them given the impacts to their tooling, deployment, and production systems — which makes perfect sense for their situation.
I'd like to thank Netlify team for their hard work on the original version of this microservice.
NOTE: gRPC / gRPC Web support is in its infancy.
Currently only the scaffolding is in place with a few supported methods like healthcheck and settings. The intention is to refactor the API over time to support both REST & gRPC.
Configuration
You may configure Gothic using either a configuration file named .env,
environment variables, or a combination of both. Environment variables are
prefixed with GOTHIC_, and will always have precedence over values provided
via file.
Top-Level
GOTHIC_SITE_URL=https://example.gothic.com/
SITE_URL - string required
The base URL your site is located at. Currently used in combination with other settings to construct URLs used in emails.
OPERATOR_TOKEN - string Multi-instance mode only
The shared secret with an operator (usually Netlify) for this microservice. Used to verify requests have been proxied through the operator and the payload values can be trusted.
DISABLE_SIGNUP - bool
When signup is disabled the only way to create new users is through invites. Defaults to false, all signups enabled.
GOTHIC_RATE_LIMIT_HEADER - string
Header on which to rate limit the /token endpoint.
API
GOTHIC_API_HOST=localhost
REST_PORT=9999 # the http REST server port
RPC_PORT=3001 # the gRPC server port
RPCWEB_PORT=6001 # the gRPC Web server port
API_HOST - string
Hostname to listen on.
REST_PORT (no prefix) / GOTHIC_API_REST_PORT - number
Port number for the HTTP REST API server to listen on. Defaults to 8081.
RPC_PORT (no prefix) / GOTHIC_API_RPC_PORT - number
Port number for the gRPC API server to listen on. Defaults to 3001.
RPCWEB_PORT (no prefix) / GOTHIC_API_RPCWEB_PORT - number
Port number for the gRPC Web API server to listen on. Defaults to 6001.
API_ENDPOINT - string Multi-instance mode only
Controls what endpoint Netlify can access this API on.
REQUEST_ID_HEADER - string
If you wish to inherit a request ID from the incoming request, specify the name in this value.
Database
GOTHIC_DB_DRIVER=mysql
DATABASE_URL=root@localhost
GOTHIC_DB_DATABASE=gothic
DB_DRIVER - string required
Chooses what dialect of database you want. Must be mysql.
DATABASE_URL (no prefix) / DB_DATABASE_URL - string required
Connection string for the database.
GOTHIC_DB_DATABASE - string
The name of the database to create automatically. Defaults to gothic.
DB_NAMESPACE - string
Adds a prefix to all table names.
Migrations Note
Migrations WILL BE applied automatically if you start with
GOTHIC_DB_AUTOMIGRATE=true
Logging
LOG_LEVEL=debug # available without GOTHIC prefix (exception)
GOTHIC_LOG_FILE=/var/log/go/gothic.log
LOG_LEVEL - string
Controls what log levels are output. Choose from panic, fatal, error, warn, info, or debug. Defaults to info.
LOG_FILE - string
If you wish logs to be written to a file, set log_file to a valid file path.
Opentracing
Currently, only the Datadog tracer is supported.
GOTHIC_TRACING_ENABLED=true
GOTHIC_TRACING_HOST=127.0.0.1
GOTHIC_TRACING_PORT=8126
GOTHIC_TRACING_TAGS="tag1:value1,tag2:value2"
GOTHIC_SERVICE_NAME="gothic"
TRACING_ENABLED - bool
Whether tracing is enabled or not. Defaults to false.
TRACING_HOST - bool
The tracing destination.
TRACING_PORT - bool
The port for the tracing host.
TRACING_TAGS - string
A comma separated list of key:value pairs. These key value pairs will be added as tags to all opentracing spans.
SERVICE_NAME - string
The name to use for the service.
JSON Web Tokens (JWT)
GOTHIC_JWT_SECRET=supersecretvalue
GOTHIC_JWT_METHOD=HS256
GOTHIC_JWT_EXP=3600
GOTHIC_JWT_AUD=gothic
JWT_SECRET - string required
The secret used to sign JWT tokens with.
JWT_METHOD - string
The method used to sign JWT tokens. Defaults to HS256 (HMAC256).
JWT_EXP - number
How long tokens are valid for, in seconds. Defaults to 3600 (1 hour).
JWT_AUD - string
The default JWT audience. Use audiences to group users.
JWT_ADMIN_GROUP_NAME - string
The name of the admin group (if enabled). Defaults to admin.
JWT_DEFAULT_GROUP_NAME - string
The default group to assign all new users to.
External Authentication Providers
We support bitbucket, github, gitlab, and google for external authentication.
Use the names as the keys underneath external to configure each separately.
GOTHIC_EXTERNAL_GITHUB_CLIENT_ID=myappclientid
GOTHIC_EXTERNAL_GITHUB_SECRET=clientsecretvaluessssh
No external providers are required, but you must provide the required values if you choose to enable any.
EXTERNAL_X_ENABLED - bool
Whether this external provider is enabled or not
EXTERNAL_X_CLIENT_ID - string required
The OAuth2 Client ID registered with the external provider.
EXTERNAL_X_SECRET - string required
The OAuth2 Client Secret provided by the external provider when you registered.
EXTERNAL_X_REDIRECT_URI - string required for gitlab
The URI a OAuth2 provider will redirect to with the code and state values.
EXTERNAL_X_URL - string
The base URL used for constructing the URLs to request authorization and access tokens. Used by gitlab only. Defaults to https://gitlab.com.
Sending email is not required, but highly recommended for password recovery. If enabled, you must provide the required values below.
GOTHIC_SMTP_HOST=smtp.mandrillapp.com
GOTHIC_SMTP_PORT=587
GOTHIC_SMTP_USER=smtp-delivery@example.com
GOTHIC_SMTP_PASS=correcthorsebatterystaple
GOTHIC_SMTP_ADMIN_EMAIL=support@example.com
GOTHIC_MAILER_SUBJECTS_CONFIRMATION="Please confirm"
SMTP_ADMIN_EMAIL - string required
The From email address for all emails sent.
SMTP_HOST - string required
The mail server hostname to send emails through.
SMTP_PORT - number required
The port number to connect to the mail server on.
SMTP_USER - string
If the mail server requires authentication, the username to use.
SMTP_PASS - string
If the mail server requires authentication, the password to use.
SMTP_MAX_FREQUENCY - number
Controls the minimum amount of time that must pass before sending another signup confirmation or password reset email. The value is the number of seconds. Defaults to 900 (15 minutes).
MAILER_AUTOCONFIRM - bool
If you do not require email confirmation, you may set this to true. Defaults to false.
MAILER_URLPATHS_INVITE - string
URL path to use in the user invite email. Defaults to /.
MAILER_URLPATHS_CONFIRMATION - string
URL path to use in the signup confirmation email. Defaults to /.
MAILER_URLPATHS_RECOVERY - string
URL path to use in the password reset email. Defaults to /.
MAILER_URLPATHS_EMAIL_CHANGE - string
URL path to use in the email change confirmation email. Defaults to /.
MAILER_SUBJECTS_INVITE - string
Email subject to use for user invite. Defaults to You have been invited.
MAILER_SUBJECTS_CONFIRMATION - string
Email subject to use for signup confirmation. Defaults to Confirm Your Signup.
MAILER_SUBJECTS_RECOVERY - string
Email subject to use for password reset. Defaults to Reset Your Password.
MAILER_SUBJECTS_EMAIL_CHANGE - string
Email subject to use for email change confirmation. Defaults to Confirm Email Change.
MAILER_TEMPLATES_INVITE - string
URL path to an email template to use when inviting a user.
SiteURL, Email, and ConfirmationURL variables are available.
Default Content (if template is unavailable):
<h2>You have been invited</h2>
<p>You have been invited to create a user on {{ .SiteURL }}. Follow this link to accept the invite:</p>
<p><a href="{{ .ConfirmationURL }}">Accept the invite</a></p>
MAILER_TEMPLATES_CONFIRMATION - string
URL path to an email template to use when confirming a signup.
SiteURL, Email, and ConfirmationURL variables are available.
Default Content (if template is unavailable):
<h2>Confirm your signup</h2>
<p>Follow this link to confirm your user:</p>
<p><a href="{{ .ConfirmationURL }}">Confirm your mail</a></p>
MAILER_TEMPLATES_RECOVERY - string
URL path to an email template to use when resetting a password.
SiteURL, Email, and ConfirmationURL variables are available.
Default Content (if template is unavailable):
<h2>Reset Password</h2>
<p>Follow this link to reset the password for your user:</p>
<p><a href="{{ .ConfirmationURL }}">Reset Password</a></p>
MAILER_TEMPLATES_EMAIL_CHANGE - string
URL path to an email template to use when confirming the change of an email address.
SiteURL, Email, NewEmail, and ConfirmationURL variables are available.
Default Content (if template is unavailable):
<h2>Confirm Change of Email</h2>
<p>Follow this link to confirm the update of your email from {{ .Email }} to {{ .NewEmail }}:</p>
<p><a href="{{ .ConfirmationURL }}">Change Email</a></p>
WEBHOOK_URL - string
Url of the webhook receiver endpoint. This will be called when events like validate, signup or login occur.
WEBHOOK_SECRET - string
Shared secret to authorize webhook requests. This secret signs the JSON Web Signature of the request. You should use this to verify the integrity of the request. Otherwise others can feed your webhook receiver with fake data.
WEBHOOK_RETRIES - number
How often Gothic should try a failed hook.
WEBHOOK_TIMEOUT_SEC - number
Time between retries (in seconds).
WEBHOOK_EVENTS - list
Which events should trigger a webhook. You can provide a comma separated list.
For example to listen to all events, provide the values validate,signup,login.
Endpoints
Gothic exposes the following endpoints:
-
GET /settings
Returns the publicly available settings for this gothic instance.
{ "external": { "bitbucket": true, "github": true, "gitlab": true, "google": true }, "disable_signup": false, "autoconfirm": false } -
POST /signup
Register a new user with an email and password.
{ "email": "email@example.com", "password": "secret" }Returns:
{ "id": "11111111-2222-3333-4444-5555555555555", "email": "email@example.com", "confirmation_sent_at": "2016-05-15T20:49:40.882805774-07:00", "created_at": "2016-05-15T19:53:12.368652374-07:00", "updated_at": "2016-05-15T19:53:12.368652374-07:00" } -
POST /invite
Invites a new user with an email.
{ "email": "email@example.com" }Returns:
{ "id": "11111111-2222-3333-4444-5555555555555", "email": "email@example.com", "confirmation_sent_at": "2016-05-15T20:49:40.882805774-07:00", "created_at": "2016-05-15T19:53:12.368652374-07:00", "updated_at": "2016-05-15T19:53:12.368652374-07:00", "invited_at": "2016-05-15T19:53:12.368652374-07:00" } -
POST /verify
Verify a registration or a password recovery. Type can be
signuporrecoveryand thetokenis a token returned from either/signupor/recover.{ "type": "signup", "token": "confirmation-code-delivered-in-email", "password": "12345abcdef" }passwordis required for signup verification if no existing password exists.Returns:
{ "access_token": "jwt-token-representing-the-user", "token_type": "bearer", "expires_in": 3600, "refresh_token": "a-refresh-token" } -
POST /recover
Password recovery. Will deliver a password recovery mail to the user based on email address.
{ "email": "email@example.com" }Returns:
{} -
POST /token
This is an OAuth2 endpoint that currently implements the password, refresh_token, and authorization_code grant types
grant_type=password&username=email@example.com&password=secretor
grant_type=refresh_token&refresh_token=my-refresh-tokenOnce you have an access token, you can access the methods requiring authentication by settings the
Authorization: Bearer YOUR_ACCESS_TOKEN_HEREheader.Returns:
{ "access_token": "jwt-token-representing-the-user", "token_type": "bearer", "expires_in": 3600, "refresh_token": "a-refresh-token" } -
GET /user
Get the JSON object for the logged in user (requires authentication)
Returns:
{ "id": "11111111-2222-3333-4444-5555555555555", "email": "email@example.com", "confirmation_sent_at": "2016-05-15T20:49:40.882805774-07:00", "created_at": "2016-05-15T19:53:12.368652374-07:00", "updated_at": "2016-05-15T19:53:12.368652374-07:00" } -
PUT /user
Update a user (Requires authentication). Apart from changing email/password, this method can be used to set custom user data.
{ "email": "new-email@example.com", "password": "new-password", "data": { "key": "value", "number": 10, "admin": false } }Returns:
{ "id": "11111111-2222-3333-4444-5555555555555", "email": "email@example.com", "confirmation_sent_at": "2016-05-15T20:49:40.882805774-07:00", "created_at": "2016-05-15T19:53:12.368652374-07:00", "updated_at": "2016-05-15T19:53:12.368652374-07:00" } -
POST /logout
Logout a user (Requires authentication).
This will revoke all refresh tokens for the user. Remember that the JWT tokens will still be valid for stateless auth until they expires.
TODO
- Schema for custom user data in config file
Documentation
¶
There is no documentation for this package.
Source Files
Directories