{"id":22878566,"url":"https://github.com/scblur869/secure-auth-service","last_synced_at":"2025-03-31T14:28:48.170Z","repository":{"id":149838919,"uuid":"337201523","full_name":"scblur869/secure-auth-service","owner":"scblur869","description":"Golang based token auth service using http-only encrypted cookies to the client and a backend user store","archived":false,"fork":false,"pushed_at":"2021-05-10T17:34:03.000Z","size":61676,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"dev-mysql","last_synced_at":"2025-02-06T20:39:35.996Z","etag":null,"topics":["authenticated-encryption","authentication-backend","golang","golang-gin","jwt","jwt-authentication","jwt-go","token-auth"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scblur869.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-08T20:31:45.000Z","updated_at":"2023-04-30T13:38:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"6ce23584-4cbc-4eb0-9736-72981c7e9840","html_url":"https://github.com/scblur869/secure-auth-service","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scblur869%2Fsecure-auth-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scblur869%2Fsecure-auth-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scblur869%2Fsecure-auth-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scblur869%2Fsecure-auth-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scblur869","download_url":"https://codeload.github.com/scblur869/secure-auth-service/tar.gz/refs/heads/dev-mysql","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246482213,"owners_count":20784656,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authenticated-encryption","authentication-backend","golang","golang-gin","jwt","jwt-authentication","jwt-go","token-auth"],"created_at":"2024-12-13T16:29:48.639Z","updated_at":"2025-03-31T14:28:48.144Z","avatar_url":"https://github.com/scblur869.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Authentication \u0026  Authorization Service\n\n## Description\n\nAuthentication and Role handling Service written in GO 1.15.x that supports 384Bit signed JWT for login , token refresh and logout use cases.\nLogin and Refresh endpoints sets an http-only AES encrypted cookie with the jwt and refresh token and returns the JWT (10 min expiration) to the client.\nThe http-only encrypted cookie expires after 48 hours. A second NON http-only non encrtpyed cookie is sent with displayname and role to be consumed by a front end application. This cookie is not usable for authentication or accessing endpoints. This service also provides endpoints for managing application roles that could be assigned to accounts. Toggling of account status and setting passwords are also supported.\n\n## Primary Use Case\n\n### Token based (signed JWT), secure authentication support for web applications\n\n### All endpoints account and role endpoints require a token\n\n## Provides\n\n```console\nPOST   /api/v1/login             --\u003e create auth token\nPOST   /api/v1/logout            --\u003e expire auth token\nPOST   /api/v1/refresh           --\u003e refresh auth token\nPOST   /api/v1/account/new       --\u003e create new account\nPOST   /api/v1/account/update    --\u003e update account\nPOST   /api/v1/account/remove    --\u003e remove account\nPOST   /api/v1/account/list      --\u003e list all accounts\nPOST   /api/v1/account/find      --\u003e find account\nPOST   /api/v1/account/toggle    --\u003e toggle account status (active : inactive )\nPOST   /api/v1/account/set       --\u003e set password for account\nPOST   /api/v1/role/new          --\u003e create a new role\nPOST   /api/v1/role/update       --\u003e update role\nPOST   /api/v1/role/remove       --\u003e remove role\nPOST   /api/v1/role/list         --\u003e list current roles\n```\n\n- Login\n  - /api/v1/login\n\n```json\nPOST\n  {\n    username: \"someUser\",\n    password: \"somePassword\"\n  }\n    200 RESPONSE \n      COOKIE {ENCRYPTED HTTP-Only cookie}\n      COOKIE {display_name, role}\n    TEXT \n      \"successful\"\n```\n\n- Refresh\n  - /api/v1/refresh\n\n```json\n POST COOKIE {ENCRYPTED HTTP-Only cookie}\n 200 RESPONSE\n     COOKIE {ENCRYPTED HTTP-Only cookie}\n     COOKIE {display_name, role}\n     TEXT \n      \"successful\"\n```\n\n- Logout\n  - /api/v1/logout\n\n```console\n  POST {HTTP-Only cookie from refresh or login (ENCRYPTED)}\n ```\n\n## Accounts Management Endpoints\n\n### New Account\n\n- /api/v1/accounts/new\n\n```console\n  POST\n  {\n    \"username\": \"testuser2\",\n    \"displayname\": \"test s. user2\",\n    \"email\": \"test.user2@testingcompany.com\",\n    \"role\": \"report-user\",\n    \"password\": \"supersecret01\"\n  }\n```\n\n### list, update, find (one), remove account\n\n- /api/v1/accounts/list\n- /api/v1/accounts/update\n- /api/v1/accounts/find\n- /api/v1/accounts/remove\n- /api/v1/accounts/toggle\n- /api/v1/accounts/set\n\n```console\n  POST\n  {   \n    \"id\": 3,\n    \"username\": \"testuser\",\n    \"password\": \"somesecret\",\n    \"email\": \"test.user@testingcompany.com\",\n    \"displayname\": \"test s. user\",\n    \"role\": \"report-user\"\n  }\n```\n\n## Role Management Endpoints\n\n### list, update, new, remove role\n\n- /api/v1/role/new\n- /api/v1/role/update\n- /api/v1/role/remove\n- /api/v1/role/list\n\n```console\n  POST\n  {   \n    \"id\": 3,\n    \"name\": \"default-user\",\n    \"displayname\": \"Default User Role\",\n    \"description\": \"Default user Role for application\"\n  }\n```\n\n## Token \u0026 Claims\n\n- example login / refresh token\n\n```console\n\"eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NfdXVpZCI6IjE4ZWYyM2Y5LTQ4YTYtNGE5My1hZWE4LWY1MDZlN2NlN2JhMCIsImRpc3BsYXlfbmFtZSI6IlRlbXBlci1TdXJlIEFkbWluIiwiZW1haWwiOiJhZG1pbkB0ZW1wZXItc3VyZS5jb20iLCJleHAiOjE2MTIyODg0MTYsInJvbGUiOiJhZG1pbiIsInVzZXJfaWQiOiIxIn0.j0nle36e2yFv5qvZMxJFewZ41d4zczE5UnHpC5s1T0PxTF5UK1FQT0zSsnZpwjCR\"\n```\n\n## JWT Claims given\n\n```json\n{\n  \"access_uuid\": \"18ef23f9-48a6-4a93-aea8-f506e7ce7ba0\",\n  \"display_name\": \"John Smith\",\n  \"email\": \"jsmith@example.com\",\n  \"exp\": 1612288416,\n  \"role\": \"reports-user\",\n  \"user_id\": \"24\"\n}\n```\n\n## Requirements\n\n### Environmentals required for JWT Signature Validation\n\n- ACCESS_SECRET  {see Dockerfile}\n- REFRESH_SECRET {see Dockerfile}\n- .env can be used for development \u0026 testing\n\n```console\nREDIS_HOST=127.0.0.1\nREDIS_PORT=6379\nREDIS_PASSWORD=\nACCESS_SECRET=1234567890abcdefghij\nREFRESH_SECRET=9876543210abcdefghij\nPORT=4000\n```\n\n### Redis with port 6379 exposed\n\n- Used for storing the access_token and refresh_tokens until logout or token expiration\n- Redis authentication supported\n\n### Redis Data Structure\n\n  ```go\n  type TokenDetails struct {\n      AccessToken  string\n      RefreshToken string\n      TokenUuid    string\n      RefreshUuid  string\n      AtExpires    int64\n      RtExpires    int64\n}\n```\n\n### Dockerfile example\n\n```docker\nFROM golang:latest\nWORKDIR /go/src/app\nENV REDIS_HOST=localhost\nENV REDIS_PORT=6379\nENV REDIS_PASSWORD=\nENV ACCESS_SECRET=1234567890abcdefghij\nENV REFRESH_SECRET=9876543210abcdefghij\nENV PORT=4000\nENV GIN_MODE=release\nCOPY auth-svc .\nEXPOSE 4000\nCMD [\"./auth-svc\"]\n```\n\n## TODO\n\n- Simple UI for managing accounts\n- Since when you start the container / service, it will gen a new encryption key. it may be better for production deployments that scale to externalize this\n\n## BUILDING / DEPLOYING\n\n```console\ngo build -o my-auth-service -ldflags \"-s -w\" \n./my-auth-service\n```\n\n## DOCKER\n\n- and Dockerfile and a docker-compose script have been provided for testing the auth_svc and the ui also in the repo\n\n## REFERENCES and CODE INSPIRATION\n\n- \u003chttps://github.com/victorsteven/jwt-best-practices\u003e\n- \u003chttps://www.melvinvivas.com/how-to-encrypt-and-decrypt-data-using-aes/\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscblur869%2Fsecure-auth-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscblur869%2Fsecure-auth-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscblur869%2Fsecure-auth-service/lists"}