{"id":15430799,"url":"https://github.com/reiterate-app/authorio","last_synced_at":"2025-11-17T03:34:55.927Z","repository":{"id":62553744,"uuid":"384829352","full_name":"reiterate-app/authorio","owner":"reiterate-app","description":"IndieAuth authentication endpoint plugin for Rails","archived":false,"fork":false,"pushed_at":"2023-10-16T16:50:39.000Z","size":217,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-09T04:54:30.041Z","etag":null,"topics":["authentication","indieweb","rails","ruby"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/reiterate-app.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-11T00:35:33.000Z","updated_at":"2025-01-30T19:00:18.000Z","dependencies_parsed_at":"2024-11-13T15:52:25.187Z","dependency_job_id":null,"html_url":"https://github.com/reiterate-app/authorio","commit_stats":{"total_commits":77,"total_committers":2,"mean_commits":38.5,"dds":0.09090909090909094,"last_synced_commit":"0e5e0d33b0af161adb7dd2a9455698444f2b47dd"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/reiterate-app/authorio","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reiterate-app%2Fauthorio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reiterate-app%2Fauthorio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reiterate-app%2Fauthorio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reiterate-app%2Fauthorio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/reiterate-app","download_url":"https://codeload.github.com/reiterate-app/authorio/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reiterate-app%2Fauthorio/sbom","scorecard":{"id":769518,"data":{"date":"2025-08-11","repo":{"name":"github.com/reiterate-app/authorio","commit":"0e5e0d33b0af161adb7dd2a9455698444f2b47dd"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.7,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"64 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-h47h-mwp9-c6q6","Warn: Project is vulnerable to: GHSA-4g8v-vg43-wpgf","Warn: Project is vulnerable to: GHSA-8xww-x3g3-6jcv","Warn: Project is vulnerable to: GHSA-9445-4cr6-336r","Warn: Project is vulnerable to: GHSA-9822-6m93-xqf4","Warn: Project is vulnerable to: GHSA-fwhr-88qx-h9g7","Warn: Project is vulnerable to: GHSA-mm33-5vfq-3mm3","Warn: Project is vulnerable to: GHSA-p84v-45xj-wwqj","Warn: Project is vulnerable to: GHSA-vfg9-r3fq-jvx4","Warn: Project is vulnerable to: GHSA-vfm5-rmrh-j26v","Warn: Project is vulnerable to: GHSA-x76w-6vjr-8xgj","Warn: Project is vulnerable to: GHSA-qjqp-xr96-cj99","Warn: Project is vulnerable to: GHSA-wwhv-wxv9-rpgw","Warn: Project is vulnerable to: GHSA-ch3h-j2vf-95pv","Warn: Project is vulnerable to: GHSA-xp5h-f8jf-rc8q","Warn: Project is vulnerable to: GHSA-3hhc-qp5v-9p2j","Warn: Project is vulnerable to: GHSA-579w-22j4-4749","Warn: Project is vulnerable to: GHSA-76r7-hhxj-r776","Warn: Project is vulnerable to: GHSA-hq7p-j377-6v63","Warn: Project is vulnerable to: GHSA-8h22-8cf7-hq6g","Warn: Project is vulnerable to: GHSA-r4mg-4433-c7g3","Warn: Project is vulnerable to: GHSA-cr5q-6q9f-rq6q","Warn: Project is vulnerable to: GHSA-j6gc-792m-qgm2","Warn: Project is vulnerable to: GHSA-pj73-v5mw-pm9j","Warn: Project is vulnerable to: GHSA-23c2-gwp5-pxw9","Warn: Project is vulnerable to: GHSA-228g-948r-83gx","Warn: Project is vulnerable to: GHSA-3x8r-x6xp-q4vm","Warn: Project is vulnerable to: GHSA-486f-hjj9-9vhh","Warn: Project is vulnerable to: GHSA-j3g3-5qv5-52mj","Warn: Project is vulnerable to: GHSA-2qc6-mcvw-92cw","Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc","Warn: Project is vulnerable to: GHSA-cgx6-hpwq-fhv5","Warn: Project is vulnerable to: GHSA-crjr-9rc5-ghw8","Warn: Project is vulnerable to: GHSA-gx8x-g87m-h5q6","Warn: Project is vulnerable to: GHSA-jc36-42cf-vqwj","Warn: Project is vulnerable to: GHSA-mrxw-mxhj-p664","Warn: Project is vulnerable to: GHSA-pxvg-2qj5-37jq","Warn: Project is vulnerable to: GHSA-r95h-9x8f-r3f7","Warn: Project is vulnerable to: GHSA-v6gp-9mmm-c6p5","Warn: Project is vulnerable to: GHSA-vvfq-8hwr-qm4m","Warn: Project is vulnerable to: GHSA-xc9x-jj77-9p9j","Warn: Project is vulnerable to: GHSA-xh29-r2w5-wx8m","Warn: Project is vulnerable to: GHSA-xxx9-3xcr-gjj3","Warn: Project is vulnerable to: GHSA-22f2-v57c-j9cx","Warn: Project is vulnerable to: GHSA-3h57-hmj3-gj3p","Warn: Project is vulnerable to: GHSA-54rr-7fvw-6x8f","Warn: Project is vulnerable to: GHSA-65f5-mfpf-vfhj","Warn: Project is vulnerable to: GHSA-7g2v-jj9q-g3rg","Warn: Project is vulnerable to: GHSA-7wqh-767x-r66v","Warn: Project is vulnerable to: GHSA-8cgq-6mh2-7j6v","Warn: Project is vulnerable to: GHSA-93pm-5p5f-3ghx","Warn: Project is vulnerable to: GHSA-c6qg-cjj8-47qp","Warn: Project is vulnerable to: GHSA-gjh7-p2fx-99vx","Warn: Project is vulnerable to: GHSA-hxqx-xwvh-44m2","Warn: Project is vulnerable to: GHSA-rqv2-275x-2jq5","Warn: Project is vulnerable to: GHSA-vpfw-47h7-xj4g","Warn: Project is vulnerable to: GHSA-wq4h-7r42-5hrr","Warn: Project is vulnerable to: GHSA-xj5v-6v4g-jfw6","Warn: Project is vulnerable to: GHSA-5x79-w82f-gw8w","Warn: Project is vulnerable to: GHSA-9h9g-93gc-623h","Warn: Project is vulnerable to: GHSA-mcvf-2q2m-x72m","Warn: Project is vulnerable to: GHSA-pg8v-g4xq-hww9","Warn: Project is vulnerable to: GHSA-rrfc-7g8p-99q8"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T01:51:35.001Z","repository_id":62553744,"created_at":"2025-08-23T01:51:35.001Z","updated_at":"2025-08-23T01:51:35.001Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":284818574,"owners_count":27068110,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-17T02:00:06.431Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","indieweb","rails","ruby"],"created_at":"2024-10-01T18:18:50.169Z","updated_at":"2025-11-17T03:34:55.909Z","avatar_url":"https://github.com/reiterate-app.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Authorio\nThe Authorio plugin turns any Rails-based site into an authentication endpoint for Indieauth.\n\n## Motivation\n[IndieAuth](https://indieauth.com/faq) is an authentication protocol that allows you to sign in to a website using a domain name (assuming the web site supports IndieAuth). There are two servers involved in the transaction: the *client*, which is where you're logging in to (authenticating with), and the *authentication endpoint*, which verifies you are who you say you are.\n\nThere are several implementations for IndieAuth clients, if you want to support IndieAuth login on your site. But there aren't many useful implementations of the authentication endpoint. Many people work around this by using an IndieAuth service, such as [RelMeAuth](https://indieweb.org/RelMeAuth) which delegates authentication to a third-party site such as Twitter or Facebook.\n\nAuthorio allows you to create a truly federated authentication setup, using your own Rails site. By adding Authorio to your site, you can remove any external authentication dependencies and log in using only servies you control.\n\n## Installation\n\n### 1. Add the Authorio Gem to your bundle\nAdd this line to your application's Gemfile:\n\n```ruby\ngem 'authorio'\n```\n\nAnd then execute:\n```bash\n$ bundle\n```\n\n### 2. Install Authorio config files\n```bash\n$ rails generate authorio:install\n```\n\n### 3. Install Authorio migrations\nAuthorio needs to add a couple tables to your app's database in order to store (hashed) passwords and access tokens.\nYou will need to install the migrations and then run them to add these tables\n```bash\n$ rails authorio:install:migrations\nCopied migration 20210703002653_create_authorio_users.authorio.rb from authorio\nCopied migration 20210703002654_create_authorio_requests.authorio.rb from authorio\nCopied migration 20210710145519_create_authorio_tokens.authorio.rb from authorio\n\n$ rails db:migrate\n...\n== 20210703002653 CreateAuthorioUsers: migrated (0.0038s) =====================\n...\n== 20210703002654 CreateAuthorioRequests: migrated (0.0041s) ==================\n...\n== 20210710145519 CreateAuthorioTokens: migrated (0.0037s) ====================\n```\n\n\n### 4. Install Authorio routes\nAdd the following line somewhere inside the `Rails.application.routes.draw do` block in your `config/routes.rb` file\n```ruby\nauthorio_routes\n```\n\n### 5. Add the Indieauth tags\nSomewhere on your home page, add the following to your view template:\n```erb\n\u003c%= indieauth_tag %\u003e\n```\n\nThis part of the protocol will tell the IndieAuth client where to redirect for authentication. Note that ideally\nyou should only place this tag on your home page, and not in a layout that will put it on every page on your site.\n(It won't hurt anything but it's redundant to have it in multiple locations)\n\nAlthough IndieAuth works fine if you put the tag inside a page body, technically it's against the HTML spec to put\n`link` tags inside the `\u003cbody\u003e`. So the best practice would be to set up the IndieAuth tags as content from your home page.\n\nIf you want to set it up that way, then inside the layout where your `HEAD` is defined (typically `application.html.erb`)\nyou will want to add this line:\n```erb\n\u003c%= yield :indieauth_link_tags -%\u003e\n```\n\nand then from your home page, add\n```erb\n\u003c% content_for :indieauth_link_tags, indieauth_tag %\u003e\n```\n\nThis way the IndieAuth tags will appear in your HTML header, but only for your home page.\n\n### 6. Set your initial password\nBy default, Authorio uses a simple password to authenticate you. This password is hashed and stored in your app\ndatabase, which presumably you control.\n\nYou are free to customize Authorio to change its authentication scheme however you want, but to get started\nquickly you'll want to set up a password for yourself.\n\n```bash\n$ rake authorio:password\n\nEnter new password: \nConfirm password: \nPassword set\n```\n\n### 7. Precompile assets\n\nAuthorio has some of its own assets which, if you're running in a production environment, will need to be precompiled\nlike your existing assets. Re-run your normal precompilation step to ensure Authorio's assets are in your asset pipeline\n```bash\n$ rails assets:precompile\n```\nNow restart your rails app, and you should be all set!\n\n## Usage\n\nTo test your authentication endpoint, find an IndieAuth client you can log in to. A simple test is to try and login\nto the [IndieWeb.org website](https://indieweb.org)\n\n- From the home page, click on *Log In* in the upper right, or visit the [login page](https://sso.indieweb.org/login?url=https%3A%2F%2Findieweb.org%2FMain_Page) directly.\n- Enter your site's URL (or if you put the indieauth tag on a page other than your home page, enter that URL)\n- You should be then be redirected back to your own site and the Authorio login UI\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"./auth-ui.png\" width=\"400\"\u003e\n\u003c/p\u003e\n\n- Enter the password you set up when you installed Authorio. This should redirect you back to the client where you\nwill be logged in!\n\n## Configuration\n\nWhen you installed Authorio it placed a config file in `config/initializers/authorio.rb`. If you want to change\none of the defaults you can uncomment it and specify it here.\n\n### Mount Point\n\nMost Rails engines are mounted via `mount Authorio::Engine, at: mount_point`. But Authorio needs to know its own\nmount point (to specify its url in the header tag) so you specify the mount point here. The default `authorio`\nshould work for everyone.\n\n### Authorization and Token Endpoint\n\nThese endpointd are given to servers via discovery. The default values should suffice.\n\n### Token Expiration\n\nIf a client asks for an authentication token, the token will be valid for this length of time, after which\nyou will have to re-authenticate. Longer-lasting\ntokens can possibly be a security risk. Default is 4 weeks.\n\n### Local Session Lifetime\n\nSetting this to a time interval will enable you to authenticate without typing in your password. It enables a\n\"remember me\" chekbox on the authentication form. If you check that, then enter your\npassword once, then your session will be saved in a cookie, and any time you are asked to authenticate again,\nyou can just click \"Sign In\" without your password. It can be a security risk if someone else has access to\nthe machine you are using to login with (eg your laptop). Obviously you don't want to check \"remember me\"\non a public-access computer. Default is *nil* (disabled)\n\n### TODO\n\n- [ ] Customizing the authentication view/UI\n- [ ] Customizing the authentication method\n\n## User Profile\n\nYou can set up your \u003ca href=\"doc/profile.md\"\u003euser profile\u003c/a\u003e which can be sent to authenticating clients.\n\n## Contributing\nSend pull requests to [Authorio on GitHub](https://github.com/reiterate-app/authorio)\n\n## License\nThe gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freiterate-app%2Fauthorio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freiterate-app%2Fauthorio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freiterate-app%2Fauthorio/lists"}