Skip to content

Latest commit

 

History

History
255 lines (175 loc) · 9.38 KB

README.md

File metadata and controls

255 lines (175 loc) · 9.38 KB

an open source
authentication REST API microservice



PRESENTATION

TokTok is a microservice (a REST API) for users management and authentication based on access and refresh JSON Web Tokens (JWT)


GOALS

  • a simple server to manage users and authorizations based on JWT exchanges between client and server
  • possibility to switch on/off some extra features as : RSA decryption/encryption, anonymous JWT, sending confirmation email

DEVELOPERS


TECHNICAL POINTS

Tech stack

  • Language : Python 3.6... praise be...
  • Framework : Flask... minimalistic Python framework
  • API : Flask-RestPlus... Swagger documentation integrated, praise be noirbizarre...
  • Security : Flask-JWT-extended... wrapper JWT for Flask
  • Emailing : Flask-email... templating, sending, etc...
  • and more...

Features :

  • JWT (JSON Web Tokens) :

    • access and refresh token for security over all the app
  • RSA encryption (optionnal)

    • RSA encryption : server can send to the client a RSA public key for encryption client-side
    • RSA decryption : server can decode forms (login/register) encoded client-side with the RSA public key
  • Users management :

    • login / register user
    • anonymous login (optionnal) : sends a JWT for an anonymous use. Can be expected by server for routes with @anonymous_required decorator like /login or /register
    • confirm email (optionnal in dev mode): confirm user by sending a confirmation link (protected) in an email
    • password forgotten by sending a link (protected) in an email with redirection to new password form
    • reset password from client interface (protected) ... s
  • Documentation

    • on all API endpoints with Swagger (and some patience from the developers)
Features TO DO :
  • user :
    • edit user (working on)
    • edit email (protect email update)

INSTALLATION WALKTHROUGH

LOCALLY

  • clone / fork the depo

     git clone https://github.com/co-demos/toktok.git
  • create a virtual environment for Python3

     python3 -m venv venv
     source venv/bin/activate
     pip install --upgrade pip
     pip install -r requirements.txt
  • optionnal : create a secret config_file config_prod.py in the folder ./auth_api based

     cp ./auth_api/config_prod_example.py ./auth_api/config_prod.py
     nano ./auth_api/config_prod.py 
  • pay attention at the MONGO_URI variable depending on your local mongodb configuration...

    • The following is the standard URI connection scheme (from mongo documentation):
       mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
  • run the app in itts default mode (without possibility to send email) :

     python appserver.py
  • test the following urls :

     http://localhost:4100/api/auth/documentation
     http://localhost:4100/api/usr/documentation
    
  • once you stop the app if no longer needed deactivate your virtual environment

     deactivate

CLI OPTIONS

There are some options you can play with while running the service :

  • --mode : dev (default), dev_email, preprod, production
  • --host : the IP of your server (default : localhost)
  • --port : the port you want to run the app on (default : 4100)
  • --rsa : if you want receive the forms RSA encrypted and send the RSA public key (default : no)... protects the /login + /register + /password_forgotten + /reset_password endpoints
  • --anojwt : if you need to check the presence/validity of an "anonymous_jwt" in the request (default : no)... protects the /login + /register + /password_forgotten endpoints
  • --antispam : if you need to check the presence/validity" in the request (default : no)... protects at the /login + /register + /password_forgotten endpoints
  • --antispam_val : if you need to check the validity of the content of the antispam field in the form sent by the client (default : "")

In practice :

  • you can run the app in dev mode (with possibility to send email) :

     python appserver.py --mode=dev_email
  • you can choose to deactivate the integrated RSA decryption in the /login and /register endpoints

     python appserver.py --rsa=no
  • you can choose to activate the check for an anonymous JWT in the /login and /register endpoints

     python appserver.py --anojwt=yes
  • you can choose to activate the antispam in the /login and /register endpoints

     python appserver.py --antispam=yes --antispam_val=my-value
  • you can add up those options in the command line

     python appserver.py --anojwt=no --rsa=yes --mode=dev_email --antispam=yes

PRODUCTION

  • for now we are using the following configuration

    • droplet in digitalocean.com
    • ubuntu 18.04
    • 3Go RAM / 2CPU
    • 60Go memory
  • configure your server (user, firewall...):

  • install mongodb :

  • install nginx :

  • install git on your server

    • cf : docs 1 - basically :
       sudo apt-get update
       sudo apt-get install git
       git --version
    • go to your directory and init git :
       git init . 
       git remote add origin https://github.com/co-demos/toktok.git
       git pull origin master
      
  • same steps than for local installation (virtual env, install dependencies, config_prod.py file, ) ...

  • test to run the app in production mode (with possibility to send email) :

     python appserver.py --mode=production
  • it is then necessary to set up some service on the server to run the app as daemon. You could use supervisor for instance (check our snippets and walkthrough here)


INSPIRATIONS / BENCHMARK

  • not finding a simple enough open source solution resolving the following problem : having a third party service (on a distant server) able to serve reasonnably secure tokens and manage users, so to avoid to build/re-invent a custom authentication for login/register every time we work on an app...
  • more, be able to share user/credentials between multiple services
  • we looked at Oauth2.0 (but doesn't manage users per say), meteor-password (but dialog with websocket)...

CREDITS

TokTok's team thanks :

Contacts - maintainance :


SCREENSHOTS


alt text


alt text