{"id":22725234,"url":"https://github.com/meinto/anonymous-api-auth-provider","last_synced_at":"2025-03-29T23:23:01.476Z","repository":{"id":80560632,"uuid":"431614618","full_name":"meinto/anonymous-api-auth-provider","owner":"meinto","description":"Prevent unauthorised access of public endpoints by for example bots or bad clients.","archived":false,"fork":false,"pushed_at":"2021-11-25T09:14:41.000Z","size":181,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-05T00:44:37.542Z","etag":null,"topics":["auth","authorization","public-api","security","session-token"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/meinto.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-11-24T20:07:17.000Z","updated_at":"2024-03-03T04:27:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"be203e63-e068-43b2-8e6a-f95728dba8d5","html_url":"https://github.com/meinto/anonymous-api-auth-provider","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meinto%2Fanonymous-api-auth-provider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meinto%2Fanonymous-api-auth-provider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meinto%2Fanonymous-api-auth-provider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meinto%2Fanonymous-api-auth-provider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/meinto","download_url":"https://codeload.github.com/meinto/anonymous-api-auth-provider/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246256254,"owners_count":20748222,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","authorization","public-api","security","session-token"],"created_at":"2024-12-10T15:10:20.436Z","updated_at":"2025-03-29T23:23:01.456Z","avatar_url":"https://github.com/meinto.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Anonymous API Auth Provider\n\nInspired by: https://hackernoon.com/improve-the-security-of-api-keys-v5kp3wdu\n\n## Architecture\n\nThe basic idea is, to prevent unauthorised access of a public endpoint by bots or bad clients. Only known clients should be able to use the api. For example when you have a `POST` interface which should only be able to be requested by your own website. All requests from other clients to this public `POST` endpoint should be rejected.\n\nThis Repository introduces a separate serive, the \"Anonymous API Auth Provider\" (`aaap`), which can be requested to retrieve an access-token. The public endpoint can then validate this token.\n\nThe `aaap` and the public endpoint therefore share an api-key as secret. The `aaap` signs the token with the api-key and the public endpoint can check if the signature was signed with this api-key. Otherwise the public endpoint would reject the request.\n\nBut before the `aaap` generates the access-token and sends it to the requesting client, the client has to solve a challenge. This challenge is the shared secret between the `aaap` and the authorised client (e.g. your website):\n\n![Authorised Client](./assets/authorised-client.png)\n\nA bad client or a bot cannot solve the challenge provided by the `aaap`. In this case the `aaap` would send an invalid access-token to the client, and the public endpoint check for the token signature would fail. The request would be rejected:\n\n![Bot or Bad Client](./assets/bad-client.png)\n\nAn attacker of this public endpoint would have to reverse engineer the authorised client, to find out how the challenge of the `aaap` can be solved. This comes with an reasonable amount of effort especially when the code of the authorised client is obfuscated.\n\n## Usage\n\nDefine your own `challenge.sh` \u0026 `response.sh` and mount them into the docker image.\n\n- Make sure to provide a randomly unique challenge on every execution of the `challenge.sh`.\n- Make sure to implement the `response.sh` to generate a deterministic response on each given input generated by the `challenge.sh`  \n  :warning: The response must also be implemented on your client.\n- Define an api-key and provide it in the environement variables of the docker image.\n- Define how long the token should be valid  \n  :warning: The token lifetime should be validated in your public endpoint, as well as the token signature.\n\n## Docker\n\n### Build your own docker image\n\nIntegrate your `challenge.sh` \u0026 `response.sh` directly in your own docker image. It is also advisable to install some more programs, for example to generate uuids which can be used for designing your custom challenge/response.\n\n```bash\ncd example\n# build\ndocker build -t authprovider-example .\n# run\ndocker run -p 8080:8080 -e API_KEY=your-api-key -e TOKEN_EXPIRE=3600 -e PORT=8080 authprovider-example\n```\n\n### Mount volume\n\nYou can also mount your custom `challenge.sh` \u0026 `response.sh`.\n\n```bash\n# build\ndocker build -f docker/Dockerfile -t authprovider .\n# run\ndocker run -p 8080:8080 -v `pwd`/path/to/your/own/scripts/folder:/service/scripts -e API_KEY=your-api-key -e TOKEN_EXPIRE=3600 -e PORT=8080 authprovider\n```\n\n## Development\n\n```bash\nAPI_KEY=your-key go run main.go\n```\n\n## Known Limitations\n\n- clustering currently not possible  \n  will be possible in the future with redis integration\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmeinto%2Fanonymous-api-auth-provider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmeinto%2Fanonymous-api-auth-provider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmeinto%2Fanonymous-api-auth-provider/lists"}