{"id":51510294,"url":"https://github.com/man4ish/omnibioai-auth","last_synced_at":"2026-07-08T05:01:58.423Z","repository":{"id":365320407,"uuid":"1238051851","full_name":"man4ish/omnibioai-auth","owner":"man4ish","description":"Production-grade FastAPI authentication service for OmniBioAI — JWT-based login with access and refresh tokens, role-based access control (RBAC), MySQL-backed user and role management, OAuth2 password flow, and token revocation. Central identity provider for all platform services.","archived":false,"fork":false,"pushed_at":"2026-06-16T20:19:36.000Z","size":43,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-16T22:11:31.786Z","etag":null,"topics":["authentication","fastapi","jwt","mysql","oauth2","omnibioai","python","rbac"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/man4ish.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-13T19:08:17.000Z","updated_at":"2026-06-16T20:20:00.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/man4ish/omnibioai-auth","commit_stats":null,"previous_names":["man4ish/omnibioai-auth"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/man4ish/omnibioai-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/man4ish","download_url":"https://codeload.github.com/man4ish/omnibioai-auth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-auth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35252324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-08T02:00:06.796Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","fastapi","jwt","mysql","oauth2","omnibioai","python","rbac"],"created_at":"2026-07-08T05:01:57.628Z","updated_at":"2026-07-08T05:01:58.406Z","avatar_url":"https://github.com/man4ish.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# omnibioai-auth\n\n**JWT authentication and authorization service for the OmniBioAI platform.**\n\nCentral identity layer for the OmniBioAI zero-trust security plane.\nHandles user registration, login, token issuance, refresh, logout,\nand validation across all platform services.\n\n---\n\n## Architecture Role\n\n`omnibioai-auth` runs as a containerized service inside the OmniBioAI Docker\nCompose stack. All platform services — TES (workflow execution), Studio\n(Electron UI), LIMS (data management), and Control Center — delegate token\nvalidation to this service rather than implementing their own auth logic.\n\n```\nStudio / TES / LIMS / Control Center / SDK\n              |\n        POST /auth/validate\n              |\n       omnibioai-auth (:8001)\n         /         \\\n      MySQL        Redis\n  (users, tokens)  (blacklist, pub/sub)\n```\n\nRedis also carries a `policy:invalidate` pub/sub channel. On logout,\n`omnibioai-auth` publishes an invalidation event so downstream services can\nflush any cached token state immediately.\n\n---\n\n## Endpoints\n\n| Method | Path | Description |\n|--------|------|-------------|\n| `POST` | `/auth/register` | Create a new user account |\n| `POST` | `/auth/login` | Authenticate and issue access + refresh tokens |\n| `POST` | `/auth/refresh` | Exchange a valid refresh token for a new access token |\n| `POST` | `/auth/logout` | Revoke refresh token; blacklist access token in Redis |\n| `POST` | `/auth/validate` | Validate a token and return user identity + roles |\n| `GET`  | `/health` | Liveness check — returns `{\"status\": \"ok\"}` |\n| `GET`  | `/metrics` | Prometheus metrics (jwt_auth_total counter) |\n\n### Login\n\n```http\nPOST /auth/login\nContent-Type: application/json\n\n{\"email\": \"user@example.com\", \"password\": \"...\"}\n```\n\n```json\n{\n  \"access_token\": \"\u003cjwt\u003e\",\n  \"refresh_token\": \"\u003cjwt\u003e\",\n  \"token_type\": \"bearer\"\n}\n```\n\n### Validate\n\n```http\nPOST /auth/validate\nContent-Type: application/json\n\n{\"token\": \"\u003cjwt\u003e\"}\n```\n\n```json\n{\n  \"valid\": true,\n  \"user_id\": 1,\n  \"email\": \"user@example.com\",\n  \"roles\": [\"researcher\"],\n  \"permissions\": [\"workflow:run\", \"dataset:read\"]\n}\n```\n\n---\n\n## Token Model\n\n- **Access token** — HS256 JWT, 15-minute TTL. On logout, the JTI is written\n  to Redis with a matching TTL so the token is immediately rejected by\n  `/auth/validate` for the rest of its natural lifetime.\n- **Refresh token** — HS256 JWT, 7-day TTL. Stored in MySQL; revoked in the\n  `revoked_tokens` table on logout or explicit revocation.\n- **Validation fast path** — Redis blacklist checked before the DB query.\n\n---\n\n## RBAC\n\nRoles and permissions are embedded in the JWT payload and enforced by\n`app/rbac.py` via FastAPI dependency injection.\n\n**Roles:** `admin`, `researcher`, `hpc_user`, `viewer`\n\n**Permissions:** `workflow:run`, `workflow:cancel`, `dataset:read`,\n`dataset:write`, `hpc:submit`\n\n---\n\n## Running in the Stack\n\nThis service is not intended to run in isolation. Start it via the top-level\n`docker-compose.yml` in the `machine/` monorepo:\n\n```bash\ndocker compose up omnibioai-auth\n```\n\nThe service depends on `mysql` and `redis` compose services being healthy\nbefore it starts. An admin user is bootstrapped automatically on first startup.\n\n---\n\n## Environment Variables\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `DB_USER` | — | MySQL username |\n| `DB_PASSWORD` | — | MySQL password |\n| `DB_HOST` | `localhost` | MySQL host (use `mysql` inside compose) |\n| `DB_PORT` | `3306` | MySQL port |\n| `DB_NAME` | `omnibioai` | Database name |\n| `SECRET_KEY` | — | JWT signing secret (required) |\n| `ACCESS_TOKEN_EXPIRE_MINUTES` | `15` | Access token lifetime |\n| `REFRESH_TOKEN_EXPIRE_DAYS` | `7` | Refresh token lifetime |\n| `REDIS_URL` | `redis://redis:6379` | Redis connection URL |\n\n---\n\n## Project Structure\n\n```\napp/\n├── main.py                  # FastAPI entrypoint, admin bootstrap, /metrics, /health\n├── rbac.py                  # Role + permission dependency helpers\n├── api/\n│   ├── routes_auth.py       # Auth endpoints + Redis blacklist logic\n│   └── deps.py              # Shared FastAPI dependencies\n├── core/\n│   ├── config.py            # Settings from environment\n│   ├── jwt.py               # Token creation and decoding\n│   └── security.py          # Password hashing\n├── db/\n│   ├── models.py            # User, RefreshToken, RevokedToken models\n│   ├── session.py           # SQLAlchemy engine + session factory\n│   ├── base.py              # Declarative base\n│   └── init_admin.py        # Admin user bootstrap\n├── services/\n│   ├── auth_service.py      # authenticate, generate_tokens, revoke_token\n│   ├── user_service.py      # User CRUD helpers\n│   └── service_tokens.py    # Service-to-service token helpers\n└── schemas/\n    ├── auth.py              # LoginRequest, RefreshRequest, LogoutRequest\n    └── user.py              # User response schemas\n```\n\n---\n\n## Tests\n\n```bash\npytest tests/\n```\n\nCoverage targets: auth flows (`test_auth.py`), RBAC (`test_rbac.py`),\nsecurity primitives (`test_security.py`), health check (`test_health.py`).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fman4ish%2Fomnibioai-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fman4ish%2Fomnibioai-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fman4ish%2Fomnibioai-auth/lists"}