{"id":30273688,"url":"https://github.com/m1thrandir225/whoami","last_synced_at":"2025-10-07T09:02:07.282Z","repository":{"id":303863406,"uuid":"1014014104","full_name":"m1thrandir225/whoami","owner":"m1thrandir225","description":"A Central Authentication Service written in Go.","archived":false,"fork":false,"pushed_at":"2025-07-27T22:38:46.000Z","size":448,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-07-28T00:23:23.193Z","etag":null,"topics":["cas","go","golang","jwt","oauth2","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m1thrandir225.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-04T22:00:32.000Z","updated_at":"2025-07-27T22:38:49.000Z","dependencies_parsed_at":"2025-07-10T05:09:21.687Z","dependency_job_id":"61fba5a8-6bae-4388-82be-347768231db8","html_url":"https://github.com/m1thrandir225/whoami","commit_stats":null,"previous_names":["m1thrandir225/whoami"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/m1thrandir225/whoami","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m1thrandir225%2Fwhoami","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m1thrandir225%2Fwhoami/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m1thrandir225%2Fwhoami/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m1thrandir225%2Fwhoami/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m1thrandir225","download_url":"https://codeload.github.com/m1thrandir225/whoami/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m1thrandir225%2Fwhoami/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270684249,"owners_count":24627773,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-16T02:00:11.002Z","response_time":91,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cas","go","golang","jwt","oauth2","security"],"created_at":"2025-08-16T07:39:03.724Z","updated_at":"2025-10-07T09:02:07.276Z","avatar_url":"https://github.com/m1thrandir225.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \u003cimg src='./.github/images/whoami-logo.png' height=100/\u003e\n\u003c/div\u003e\n\n# whoami\n\nA Central Authentication Service written entirely in Go. The service is intended to be fully Open-Source and used as a separate service in your application. It's designed to be easily plug-and-play for microservices architectures and frontend applications that need authentication features instead of using services like Firebase or Supabase.\n\n## 🚀 Features\n\n- **Basic Username/Password Authentication** - Secure login with email/username and password\n- **Email Verification** - Email-based account verification system\n- **OAuth2 Integration** - Support for Google and GitHub OAuth providers\n- **Password Reset Flows** - Secure password reset with HOTP-based OTP verification\n- **Account Management** - Account activation/deactivation capabilities\n- **Rate Limiting** - Per IP and per user rate limiting to prevent abuse\n- **Security Monitoring** - Suspicious activity detection and logging\n- **Password Security** - Password history tracking and strength requirements\n- **HaveIBeenPwned Integration** - Check passwords against known breaches\n- **Account Lockout** - Automatic account lockout after multiple failed attempts\n- **Session Management** - Short-lived access tokens with longer refresh tokens\n- **Audit Logging** - Comprehensive audit trail for all user actions\n- **Device Management** - Track and manage user devices\n- **Data Export** - GDPR-compliant data export functionality\n\n## 🏗️ Architecture\n\n### System Overview\n\n```mermaid\ngraph TB\n subgraph \"Frontend (React + Vite)\"\n FE[React Frontend]\n FE --\u003e |API Calls| API\n end\n\n subgraph \"Backend (Go + Gin)\"\n API[REST API]\n API --\u003e |Rate Limiting| RL[Rate Limiter]\n API --\u003e |Authentication| AUTH[Auth Middleware]\n API --\u003e |Token Management| TM[Token Maker]\n API --\u003e |Session Management| SM[Session Service]\n end\n\n subgraph \"Services Layer\"\n US[User Service]\n SS[Security Service]\n PS[Password Security Service]\n ES[Email Service]\n PRS[Password Reset Service]\n AS[Audit Service]\n OS[OAuth Service]\n DS[Device Service]\n DES[Data Export Service]\n end\n\n subgraph \"Repositories Layer\"\n UR[User Repository]\n SR[Security Repository]\n PR[Password Repository]\n ER[Email Repository]\n AR[Audit Repository]\n OR[OAuth Repository]\n DR[Device Repository]\n DER[Data Export Repository]\n end\n\n subgraph \"External Services\"\n DB[(PostgreSQL)]\n REDIS[(Redis)]\n SMTP[SMTP Server]\n GOOGLE[Google OAuth]\n GITHUB[GitHub OAuth]\n HIBP[HaveIBeenPwned API]\n end\n\n API --\u003e US\n API --\u003e SS\n API --\u003e PS\n API --\u003e ES\n API --\u003e PRS\n API --\u003e AS\n API --\u003e OS\n API --\u003e DS\n API --\u003e DES\n\n US --\u003e UR\n SS --\u003e SR\n PS --\u003e PR\n ES --\u003e ER\n AS --\u003e AR\n OS --\u003e OR\n DS --\u003e DR\n DES --\u003e DER\n\n UR --\u003e DB\n SR --\u003e DB\n PR --\u003e DB\n ER --\u003e DB\n AR --\u003e DB\n OR --\u003e DB\n DR --\u003e DB\n DER --\u003e DB\n\n RL --\u003e REDIS\n SM --\u003e REDIS\n TM --\u003e REDIS\n\n ES --\u003e SMTP\n PRS --\u003e SMTP\n OS --\u003e GOOGLE\n OS --\u003e GITHUB\n PS --\u003e HIBP\n```\n\n### Database Schema\n\n```mermaid\nerDiagram\n users ||--o{ user_profiles : has\n users ||--o{ refresh_tokens : has\n users ||--o{ email_verifications : has\n users ||--o{ password_resets : has\n users ||--o{ password_history : has\n users ||--o{ login_attempts : has\n users ||--o{ account_lockouts : has\n users ||--o{ suspicious_activities : has\n users ||--o{ audit_logs : generates\n users ||--o{ user_devices : has\n users ||--o{ oauth_accounts : has\n users ||--o{ data_exports : requests\n\n users {\n bigint id PK\n varchar email UK\n varchar username UK\n varchar password_hash\n boolean email_verified\n boolean active\n varchar role\n jsonb privacy_settings\n timestamptz last_login_at\n timestamptz password_changed_at\n timestamptz created_at\n timestamptz updated_at\n }\n\n user_profiles {\n bigint id PK\n bigint user_id FK\n varchar first_name\n varchar last_name\n varchar phone\n varchar avatar_url\n text bio\n varchar timezone\n varchar locale\n timestamptz created_at\n timestamptz updated_at\n }\n\n refresh_tokens {\n bigint id PK\n bigint user_id FK\n varchar token_hash\n timestamptz expires_at\n timestamptz created_at\n }\n\n password_resets {\n bigint id PK\n bigint user_id FK\n varchar token_hash\n varchar hotp_secret\n integer counter\n timestamptz expires_at\n timestamptz used_at\n timestamptz created_at\n }\n\n oauth_accounts {\n bigint id PK\n bigint user_id FK\n varchar provider\n varchar provider_user_id\n varchar email\n varchar name\n varchar avatar_url\n jsonb provider_data\n timestamptz created_at\n timestamptz updated_at\n }\n\n audit_logs {\n bigint id PK\n bigint user_id FK\n varchar action\n varchar resource_type\n bigint resource_id\n inet ip_address\n text user_agent\n jsonb details\n timestamptz created_at\n }\n```\n\n## 🔄 Common Flows\n\n### 1. User Registration Flow\n\n```mermaid\nsequenceDiagram\n participant U as User\n participant F as Frontend\n participant A as API\n participant US as User Service\n participant ES as Email Service\n participant DB as Database\n participant SMTP as SMTP Server\n\n U-\u003e\u003eF: Fill registration form\n F-\u003e\u003eA: POST /api/v1/register\n A-\u003e\u003eA: Rate limiting check\n A-\u003e\u003eUS: Create user\n US-\u003e\u003eUS: Validate password strength\n US-\u003e\u003eUS: Check HaveIBeenPwned\n US-\u003e\u003eUS: Hash password\n US-\u003e\u003eDB: Save user (email_verified=false)\n US-\u003e\u003eES: Send verification email\n ES-\u003e\u003eSMTP: Send email\n A-\u003e\u003eF: 201 Created\n F-\u003e\u003eU: Show success message\n SMTP-\u003e\u003eU: Verification email\n```\n\n### 2. User Login Flow\n\n```mermaid\nsequenceDiagram\n participant U as User\n participant F as Frontend\n participant A as API\n participant SS as Security Service\n participant US as User Service\n participant TM as Token Maker\n participant SM as Session Service\n participant DB as Database\n participant R as Redis\n\n U-\u003e\u003eF: Enter credentials\n F-\u003e\u003eA: POST /api/v1/login\n A-\u003e\u003eA: Rate limiting check\n A-\u003e\u003eSS: Check account lockout\n A-\u003e\u003eUS: Get user by email\n US-\u003e\u003eDB: Query user\n A-\u003e\u003eA: Verify password\n alt Invalid credentials\n A-\u003e\u003eSS: Record failed login\n SS-\u003e\u003eDB: Save login attempt\n A-\u003e\u003eF: 401 Unauthorized\n else Valid credentials\n A-\u003e\u003eSS: Record successful login\n SS-\u003e\u003eDB: Save login attempt\n A-\u003e\u003eTM: Generate access token\n A-\u003e\u003eSM: Create session\n SM-\u003e\u003eR: Store session\n A-\u003e\u003eF: 200 OK + tokens\n F-\u003e\u003eU: Redirect to dashboard\n end\n```\n\n### 3. Password Reset Flow\n\n```mermaid\nsequenceDiagram\n participant U as User\n participant F as Frontend\n participant A as API\n participant PRS as Password Reset Service\n participant PS as Password Security Service\n participant ES as Email Service\n participant DB as Database\n participant SMTP as SMTP Server\n\n U-\u003e\u003eF: Request password reset\n F-\u003e\u003eA: POST /api/v1/password-reset/request\n A-\u003e\u003ePRS: Request reset\n PRS-\u003e\u003eDB: Get user by email\n PRS-\u003e\u003ePRS: Generate reset token\n PRS-\u003e\u003ePRS: Generate HOTP secret\n PRS-\u003e\u003eDB: Save reset record\n PRS-\u003e\u003eES: Send reset email\n ES-\u003e\u003eSMTP: Send email with token\n A-\u003e\u003eF: 200 OK\n SMTP-\u003e\u003eU: Reset email\n\n U-\u003e\u003eF: Click reset link\n F-\u003e\u003eA: POST /api/v1/password-reset/verify\n A-\u003e\u003ePRS: Verify token\n PRS-\u003e\u003eDB: Get reset record\n PRS-\u003e\u003ePRS: Generate HOTP OTP\n PRS-\u003e\u003eES: Send OTP email\n ES-\u003e\u003eSMTP: Send OTP\n SMTP-\u003e\u003eU: OTP email\n\n U-\u003e\u003eF: Enter OTP\n F-\u003e\u003eA: POST /api/v1/password-reset/verify-otp\n A-\u003e\u003ePRS: Verify OTP\n PRS-\u003e\u003ePRS: Validate HOTP\n\n U-\u003e\u003eF: Enter new password\n F-\u003e\u003eA: POST /api/v1/password-reset/reset\n A-\u003e\u003ePRS: Reset password\n PRS-\u003e\u003ePS: Validate new password\n PRS-\u003e\u003ePS: Update password\n PS-\u003e\u003eDB: Update user password\n PRS-\u003e\u003eDB: Mark reset as used\n A-\u003e\u003eF: 200 OK\n```\n\n### 4. OAuth Login Flow\n\n```mermaid\nsequenceDiagram\n participant U as User\n participant F as Frontend\n participant A as API\n participant OS as OAuth Service\n participant OP as OAuth Provider\n participant US as User Service\n participant TM as Token Maker\n participant DB as Database\n\n U-\u003e\u003eF: Click OAuth login\n F-\u003e\u003eA: GET /api/v1/oauth/login/google\n A-\u003e\u003eOS: Generate OAuth state\n A-\u003e\u003eOP: Get authorization URL\n A-\u003e\u003eF: Return auth URL\n F-\u003e\u003eU: Redirect to OAuth provider\n\n U-\u003e\u003eOP: Authorize application\n OP-\u003e\u003eF: Redirect with code\n F-\u003e\u003eA: GET /api/v1/oauth/callback/google\n A-\u003e\u003eOS: Validate state\n A-\u003e\u003eOP: Exchange code for token\n OP-\u003e\u003eA: Return user info\n A-\u003e\u003eOS: Authenticate/create user\n OS-\u003e\u003eDB: Check existing OAuth account\n alt New user\n OS-\u003e\u003eUS: Create new user\n US-\u003e\u003eDB: Save user\n OS-\u003e\u003eDB: Save OAuth account\n else Existing user\n OS-\u003e\u003eDB: Get existing user\n end\n A-\u003e\u003eTM: Generate tokens\n A-\u003e\u003eF: Return tokens\n F-\u003e\u003eU: Login successful\n```\n\n### 5. Session Management Flow\n\n```mermaid\nsequenceDiagram\n participant F as Frontend\n participant A as API\n participant AM as Auth Middleware\n participant TM as Token Maker\n participant SM as Session Service\n participant R as Redis\n\n F-\u003e\u003eA: API request with token\n A-\u003e\u003eAM: Validate token\n AM-\u003e\u003eTM: Verify token signature\n AM-\u003e\u003eSM: Check session\n SM-\u003e\u003eR: Get session data\n alt Valid session\n SM-\u003e\u003eAM: Return session\n AM-\u003e\u003eA: Continue request\n A-\u003e\u003eF: Return response\n else Invalid/expired session\n AM-\u003e\u003eF: 401 Unauthorized\n F-\u003e\u003eA: POST /api/v1/refresh\n A-\u003e\u003eTM: Generate new tokens\n A-\u003e\u003eSM: Update session\n SM-\u003e\u003eR: Store new session\n A-\u003e\u003eF: Return new tokens\n end\n```\n\n## 🛠️ Technology Stack\n\n### Backend\n\n- **Go 1.24.1** - Main programming language\n- **Gin** - HTTP web framework\n- **PostgreSQL** - Primary database\n- **Redis** - Caching and session storage\n- **PASETO** - Token generation and validation\n- **HOTP** - One-time password generation\n- **SQLC** - Type-safe SQL code generation\n- **Golang-migrate** - Database migrations\n\n### Frontend\n\n- **React 19** - UI framework\n- **TypeScript** - Type safety\n- **Vite** - Build tool and dev server\n- **TanStack Router** - File-based routing\n- **TanStack Query** - Data fetching and caching\n- **Zustand** - State management\n- **Tailwind CSS** - Styling\n- **Radix UI** - Component primitives\n- **React Hook Form** - Form handling\n- **Zod** - Schema validation\n\n### Infrastructure\n\n- **Docker \u0026 Docker Compose** - Containerization\n- **Nginx** - Reverse proxy and static file serving\n- **SSL/TLS** - HTTPS support\n\n## 🚀 Quick Start\n\n### Prerequisites\n\n- Go 1.24.1+\n- Node.js 18+\n- Docker \u0026 Docker Compose\n- PostgreSQL 17+\n- Redis 7+\n\n### 1. Clone and Setup\n\n```bash\ngit clone https://github.com/m1thrandir225/whoami.git\ncd whoami\nmake setup\n```\n\n### 2. Configure Environment\n\nEdit `deployment/.env` file with your configuration:\n\n```bash\n# Database\nDB_SOURCE=postgres://whoami_user:secret@whoami-db:5432/whoami_db?ENABLE_TLS=false\n\n# Redis\nREDIS_URL=redis://whoami-redis:6379\n\n# Email (SMTP)\nSMTP_HOST=your-smtp-host\nSMTP_PORT=587\nSMTP_USERNAME=your-username\nSMTP_PASSWORD=your-password\n\n# OAuth Providers\nGOOGLE_OAUTH_CLIENT_ID=your-google-client-id\nGOOGLE_OAUTH_CLIENT_SECRET=your-google-client-secret\nGITHUB_OAUTH_CLIENT_ID=your-github-client-id\nGITHUB_OAUTH_CLIENT_SECRET=your-github-client-secret\n\n# Frontend\nFRONTEND_URL=http://localhost:3000\nVITE_BACKEND_URL=http://localhost:8080\n```\n\n### 3. Start Services\n\n```bash\n# Start all services with Docker Compose\nmake docker-up\n\n# Apply database migrations\nmake migrate-up-docker\n\n# View logs\nmake docker-logs\n```\n\n### 4. Access the Application\n\n- **Frontend**: http://localhost:3000\n- **Backend API**: http://localhost:8080 or https://localhost:8443\n- **Health Check**: http://localhost:8080/health\n\n## 📚 API Documentation\n\n### Authentication Endpoints\n\n| Method | Endpoint | Description | Rate Limit |\n| ------ | ------------------ | -------------------- | ------------ |\n| POST | `/api/v1/register` | User registration | Registration |\n| POST | `/api/v1/login` | User login | Auth |\n| POST | `/api/v1/refresh` | Refresh access token | Auth |\n| POST | `/api/v1/logout` | User logout | Default |\n\n### Password Reset Endpoints\n\n| Method | Endpoint | Description | Rate Limit |\n| ------ | ----------------------------------- | ---------------------- | -------------- |\n| POST | `/api/v1/password-reset/request` | Request password reset | Password Reset |\n| POST | `/api/v1/password-reset/verify` | Verify reset token | Password Reset |\n| POST | `/api/v1/password-reset/verify-otp` | Verify OTP | Password Reset |\n| POST | `/api/v1/password-reset/reset` | Reset password | Password Reset |\n\n### OAuth Endpoints\n\n| Method | Endpoint | Description | Rate Limit |\n| ------ | ---------------------------------- | -------------------- | ---------- |\n| GET | `/api/v1/oauth/login/:provider` | Initiate OAuth login | Default |\n| GET | `/api/v1/oauth/callback/:provider` | OAuth callback | Default |\n| POST | `/api/v1/oauth/exchange` | Exchange temp token | Default |\n\n### Protected Endpoints\n\n| Method | Endpoint | Description | Rate Limit |\n| ------ | ------------------------------ | ------------------------- | ---------- |\n| GET | `/api/v1/me` | Get current user | Default |\n| PUT | `/api/v1/user/:id` | Update user | Default |\n| POST | `/api/v1/user/update-password` | Update password | Default |\n| GET | `/api/v1/sessions` | Get user sessions | Default |\n| DELETE | `/api/v1/sessions/:token` | Revoke session | Default |\n| GET | `/api/v1/security/activities` | Get suspicious activities | Default |\n| GET | `/api/v1/audit/recent` | Get recent audit logs | Default |\n| GET | `/api/v1/devices` | Get user devices | Default |\n| POST | `/api/v1/exports` | Request data export | Default |\n\n## 🔧 Development\n\n### Local Development Setup\n\n```bash\n# Install dependencies\ngo mod tidy\ncd frontend \u0026\u0026 pnpm install\n\n# Start database and Redis\nmake docker-up\n\n# Run migrations\nmake migrate-up\n\n# Start backend\nmake server\n\n# Start frontend (in another terminal)\ncd frontend \u0026\u0026 pnpm dev\n```\n\n### Available Make Commands\n\n```bash\nmake help # Show all available commands\nmake setup # Complete setup with env generation\nmake build # Build Go binary\nmake test # Run tests\nmake lint # Run linter\nmake docker-up # Start services with Docker\nmake docker-down # Stop services\nmake migrate-up-docker # Apply migrations\nmake sqlc # Generate SQL code\n```\n\n### Database Migrations\n\n```bash\n# Create new migration\nmake migrate-create name=add_new_table\n\n# Apply migrations\nmake migrate-up-docker\n\n# Rollback migrations\nmake migrate-down-docker steps=1\n\n# Check migration status\nmake migrate-status-docker\n```\n\n## 🔒 Security Features\n\n### Rate Limiting\n\n- **Registration**: 5 requests per hour per IP\n- **Authentication**: 10 requests per hour per IP\n- **Password Reset**: 3 requests per hour per IP\n- **Default**: 100 requests per hour per user\n\n### Password Security\n\n- Minimum 8 characters\n- Must contain uppercase, lowercase, number, and special character\n- Checked against HaveIBeenPwned database\n- Password history tracking (prevents reuse of last 5 passwords)\n\n### Account Security\n\n- Account lockout after 5 failed login attempts\n- Suspicious activity detection and logging\n- Device tracking and management\n- Comprehensive audit logging\n\n### Token Security\n\n- PASETO tokens for stateless authentication\n- Short-lived access tokens (15 minutes)\n- Longer refresh tokens (7 days)\n- Token blacklisting for secure logout\n\n## 🚀 Deployment\n\n### Production Deployment\n\n```bash\n# Build production images\nmake docker-build\n\n# Set production environment\nexport ENVIRONMENT=production\n\n# Start production services\nmake docker-up\n```\n\n### Environment Variables\n\nSee `deployment/.env` for complete configuration options including:\n\n- Database configuration\n- Redis configuration\n- Email/SMTP settings\n- OAuth provider credentials\n- Security settings\n- Frontend configuration\n\n## 📄 License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n\u003cdiv align=\"center\"\u003e\n \u003cp\u003eBuilt with ❤️ by Sebastijan Zindl.\u003c/p\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm1thrandir225%2Fwhoami","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm1thrandir225%2Fwhoami","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm1thrandir225%2Fwhoami/lists"}