Skip to content

mailru/tarantool-authman

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

tarantool-authman

Build Status

This module provides api for registration and login users in your site (or any other system). Supports login with email/password and socials (facebook.com, vk.com, google.com). It also provides api that helps to build OAuth2 authentication service, i.e. methods to manage OAuth entities such as OAuth client, authorization code and access token.

Requires tarantool >= 1.7.4.168

Installation

Using tarantoolctl:

$ tarantoolctl rocks install authman

Also available .rpm and .deb packages:

# CentOS
$ yum install tarantool-authman

# Ubuntu
$ apt-get install tarantool-authman

Quickstart

Create tarantool instance file /etc/tarantool/instances.available/tarantool-authman.lua:

box.cfg {
    listen = 3302,
}


local config = {
   -- configuration table, details below
}
auth = require('authman').api(config)

Create symlink in /etc/tarantool/instances.enabled:

$ ln -s /etc/tarantool/instances.available/tarantool-authman.lua .

Run tarantool and connect to it:

$ tarantoolctl start tarantool-authman
$ tarantoolctl enter tarantool-authman

Use auth api:

tarantool> ok, user = auth.registration('[email protected]')
tarantool> ok, user = auth.complete_registration('[email protected]', user.code, 'Pa$$wOrD')
tarantool> ok, user = auth.set_profile(user['id'], {first_name='name', laste_name='surname'})
tarantool> ok, user = auth.auth('[email protected]', 'Pa$$wOrD')
tarantool> session =  user['session']
tarantool> ok, user = auth.check_auth(session) -- user can get new session

Configuration

Example of my_config.lua module, fill empty strings with your values:

return {
    activation_secret = '',
    session_secret = '',
    restore_secret = '',
    session_lifetime = 7 * 24 * 60 * 60,
    session_update_timedelta = 2 * 24 * 60* 60,
    social_check_time = 60 * 60* 24,

    -- password_strength can be: 
    -- none, whocares, easy, common, moderate, violence, nightmare,
    password_strength = 'common', -- default value

    facebook = {
        client_id = '',
        client_secret = '',
        redirect_uri='',
    },
    google = {
        client_id = '',
        client_secret = '',
        redirect_uri=''
    },
    vk = {
        client_id = '',
        client_secret = '',
        redirect_uri='',
    },
}

Api methods

auth.registration(email)

tarantool> ok, user = auth.registration('[email protected]')
tarantool> user.code
- 022c1ff1f0b171e51cb6c6e32aefd6ab

Creates user, return user with code for email confirmation.

auth.complete_registration(email, code, password)

tarantool> ok, user = auth.complete_registration('[email protected]', code, '123')
tarantool> user
- is_active: true
  email: [email protected]
  id: bcb6e00a-1148-4b7d-9ab1-9a9a3b21ce2a

Set user is_active=true and password, return user table (without session)

auth.set_profile(user_id, profile_table)

tarantool> ok, user = auth.set_profile(id, {first_name='name', last_name='surname'})
tarantool> user
- is_active: true
  email: [email protected]
  profile: {'first_name': 'name', last_name='surname'}
  id: bcb6e00a-1148-4b7d-9ab1-9a9a3b21ce2a

Set user profile first_name and last_name

auth.get_profile(user_id)

tarantool> ok, user = auth.get_profile(id)
tarantool> user
---
- is_active: true
  email: [email protected]
  profile: {'first_name': 'name', last_name='surname'}
  id: bcb6e00a-1148-4b7d-9ab1-9a9a3b21ce2a
...

Get user profile details by id

auth.delete_user(user_id)

tarantool> auth.delete_user(id)
---
- is_active: true
  email: [email protected]
  profile: {'first_name': 'name', last_name='surname'}
  id: bcb6e00a-1148-4b7d-9ab1-9a9a3b21ce2a
...

Delete user from space

auth.auth(email, password)

tarantool> ok, user = auth.auth('[email protected]', '123')
tarantool> user
- is_active: true
  email: [email protected]
  session:'eyJ1c2VyX2lkIjoiYjhjOWVlOWQtYWUxN....'
  id: b8c9ee9d-ae15-469d-a16f-415594121ece

Sign in user, return user table (with session)

auth.check_auth(session)

tarantool> ok, user = auth.check_auth(session)
tarantool> user
- is_active: true
  email: [email protected]
  session: 'eyJ1c2VyX2lkIjoiYjhjOWVlOWQtYWUxNS00Nj.....'
  id: b8c9ee9d-ae15-469d-a16f-415594121ece

Check user is signed in, return user table (with new session)

Session can be renewed, so set it again after each call oh this method

User will contain social info, if passed session generated by using auth.social_auth() method:

tarantool> user
- is_active: true
  social:
    provider: facebook
    social_id: '123123....'
  email: [email protected]
  session: 'eyJ1c2VyX2lkIjoiYjhjOWVlOWQtYWUxNS00Nj.....'
  id: b8c9ee9d-ae15-469d-a16f-415594121ece

auth.drop_session(session)

tarantool> ok, deleted = auth.drop_session(session)
tarantool> deleted
- true

Drop user session

auth.restore_password(email)

tarantool> ok, token = auth.restore_password('[email protected]')
tarantool> token
- 8b9c03b7786a465e2175bb1a8bd8a59f

Get restore password token

auth.complete_restore_password(email, token, password)

tarantool> ok, user = auth.complete_restore_password('[email protected]', code, '234')
tarantool> user
- is_active: true
  email: [email protected]
  id: bcb6e00a-1148-4b7d-9ab1-9a9a3b21ce2a

Set new password, return user table (without session)

auth.social_auth_url(provider, state)

tarantool> ok, url = auth.social_auth_url('facebook', 'some-state-string')
tarantool> url
- https://www.facebook.com/v2.8/dialog/oauth?client_id=1813230128941062&redirect_uri={redirect}&scope=email&state=some-state-string

Return url for social auth. State is optional but recommended for csrf protection.

auth.social_auth(provider, code)

tarantool> ok, user = auth.social_auth('facebook', code)
tarantool> user
- is_active: true
  social:
    provider: facebook
    social_id: '123123....'
  profile: {'first_name': 'a', 'last_name': 'aa'}
  id: bcb6e00a-1148-4b7d-9ab1-9a9a3b21ce2a
  email: [email protected]
  session: 'eyJ1c2VyX2lkIj.....'

Sign in user, return user table (with session)

Documentation for OAuth2 related API

OAuth2

Handling errors:

If first parametr (ok - bool) is false then error is occured. Error description will be stored in second param like:

error = {code = description}

Example:

tarantool> ok, user = auth.registration('[email protected]')
tarantool> ok
- false
tarantool> user
- '2': User already exists

Complete list of error codes:

error.USER_NOT_FOUND = '1'
error.USER_ALREADY_EXISTS = '2'
error.INVALID_PARAMS = '3'
error.USER_NOT_ACTIVE = '4'
error.WRONG_PASSWORD = '5'
error.WRONG_ACTIVATION_CODE = '6'
error.WRONG_SESSION_SIGN = '7'
error.NOT_AUTHENTICATED = '8'
error.WRONG_RESTORE_TOKEN = '9'
error.USER_ALREADY_ACTIVE = '10'
error.WRONG_AUTH_CODE = '11'
error.IMPROPERLY_CONFIGURED = '12'
error.WRONG_PROVIDER = '13'
error.WEAK_PASSWORD = '14'
error.SOCIAL_AUTH_ERROR = '15'
error.OAUTH_APP_ALREADY_EXISTS = '16'
error.OAUTH_APP_NOT_FOUND = '17'
error.OAUTH_CONSUMER_NOT_FOUND = '18'
error.OAUTH_MAX_APPS_REACHED = '19'
error.OAUTH_CODE_NOT_FOUND = '20'
error.OAUTH_ACCESS_TOKEN_NOT_FOUND = '21'

Run tests:

To perform tests run this in directory with tarantool-authman module:

$ tarantool test/authman.test.lua