{"id":19952213,"url":"https://github.com/timluq/sqrl-auth-daemon","last_synced_at":"2025-07-01T05:04:51.724Z","repository":{"id":35381397,"uuid":"39644718","full_name":"TimLuq/sqrl-auth-daemon","owner":"TimLuq","description":"System wide SQRL client delegation for CPS listening on port 25519","archived":false,"fork":false,"pushed_at":"2015-08-11T20:29:42.000Z","size":184,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-01T15:15:48.053Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TimLuq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-07-24T16:24:06.000Z","updated_at":"2015-07-24T16:25:12.000Z","dependencies_parsed_at":"2022-09-15T13:20:35.674Z","dependency_job_id":null,"html_url":"https://github.com/TimLuq/sqrl-auth-daemon","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/TimLuq/sqrl-auth-daemon","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimLuq%2Fsqrl-auth-daemon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimLuq%2Fsqrl-auth-daemon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimLuq%2Fsqrl-auth-daemon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimLuq%2Fsqrl-auth-daemon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TimLuq","download_url":"https://codeload.github.com/TimLuq/sqrl-auth-daemon/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimLuq%2Fsqrl-auth-daemon/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262900129,"owners_count":23381659,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T01:12:09.840Z","updated_at":"2025-07-01T05:04:51.697Z","avatar_url":"https://github.com/TimLuq.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sqrl-auth-daemon\nSystem wide SQRL client delegation for CPS on listening on port 25519. This is only for POSIX systems.\n\nInstall by using:\n```bash\n$ git clone \"https://github.com/TimLuq/sqrl-auth-daemon.git\"\n$ cd sqrl-auth-daemon\n$ cabal install\n```\n(This requires you to have `cabal` and `ghc` installed, perhaps using the package `haskell-platform`.)\n\n## How it works\nThe daemon will, first of all, deny any connection from any IP other than `127.0.0.1`.\nIt will otherwise proceed by looking up what process is connecting to it by making a call to `fuser`,\nthereafter it knows the PID to the process making the request. After additional checks for who is running the process and reading the environment variables associated to the process it will pass these on to the next step.\n\n### Mimicing the user\nAfter retrieving all information needed to fully impersonate the user it will `fork(2)` a new process.\nThe new process will change its GID and UID to that of the user (using `setgid(2)` and `setuid(2)`), to ensure no privilege elevation occurs, before replacing that newly created process with the SQRL client named `sqrl-cps` (using `execvpe(3)`).\n\nThe client will be started with filtered list of the environment variables that was in use by the requesting application.\nThis includes `DISPLAY` and `XAUTHORITY` among others.\nAny GUI opened as a consecuense of the request will start in the same session of X as the application that initiated the request.\nThis allows for multiple users to be connected to the same machine without interference and any user that is connected through multiple sessions will have any GUI show up in the right place.\n\nThe client is started with the following arguments:\n* optional `--cps-referer=http://example.com/page` - the contents of the `Referer` HTTP header, if any.\n* `--cps-daemon-flags=3` - a decimal number designation which flags are respected by the daemon (see [Flags](#flags))\n* `--cps-user=nixuser` - the name of the user running the process that connected\n* `--cps-invoker=cromium-browse` - the name of the process application\n* `--cps-invoker-full=/var/lib/chromium-browser/chromium-browser` - the full path to the executable that is making the request\n* `--cps-port=50123` - the port number that was used for the request (might be good for logging purposes)\n* `--cps-query-string=?nut=rctXDOVqYKZi-XZeASYflA\u0026sfn=RXhhbXBsZQ` - the query string used when connecting to 127.0.0.1:25519\n* `--cps-path-info=/example.com/sqrl` - the path used when connecting to 127.0.0.1:25519\n* `sqrl://example.com/sqrl?nut=rctXDOVqYKZi-XZeASYflA\u0026sfn=RXhhbXBsZQ` - the sqrl link that is requested\n\n### Client Action\nThe client that gets executed during the call to `sqrl-cps` (wich currently must be placed in either `$HOME/.sqrl/bin/sqrl-cps` or `/bin/sqrl-cps`) reads the arugment list using what it think is important.\nIt may choose to disregard all other arguments than the `sqrl://example.com/sqrl?nut=rctXDOVqYKZi-XZeASYflA\u0026sfn=RXhhbXBsZQ` without any additional checks.\nThe client then performs any SQRL actions it finds neccessary before sending the user to some other content.\n\nWhen the client is done; either by a successful login, a failure, or another action.\nThe client will generate the response which will be shown to the user.\nThe easiest is by only sending the user on by only giving the deamon an URI to the new resource.\nTo ensure that the application being executed actually has something to do with SQRL the daemon awaits a header containing the following 7 bytes \"SQRLCPS\" followed by an additional byte representing some [flags](#Flags) regarding the response.\n\n#### \u003ca name=\"flags\"\u003e\u003c/a\u003eFlags\n* `0b00000001` - the client will not send a redirect URI but instead it will send a number of HTTP headers, each separated by CRLF (`\"\\r\\n\"`) followed by an empty line. (As is the standard for HTTP.)\n* `0b00000010` - after all other processing is done the entity of this response is sent to `stdout` until `EOF`. Otherwise the deamon may generate an enity of it's choice.\n\nIf the first flag (`0b00000001`) _is not_ set then the client _must_ write a 16 bit big-endian number to `stdout` which is the length of the URI to redirect to.\nAfter the two bytes representing the length, that many bytes are written to `stdout`, this is the absolute URI for redirection.\n\nIf the first flag (`0b00000001`) _is_ set then the client _must_ write a number of HTTP headers, each separated by `CRLF`, to `stdout`. This is then followed by an extra `CRLF` which means end of headers, as per the HTTP specification.\n\nif the second flag (`0b00000010`) _is_ set then the client, after everything else is send, will write the response entity to `stdout`. If this flag _is not_ set the deamon may create a response of its choice.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimluq%2Fsqrl-auth-daemon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftimluq%2Fsqrl-auth-daemon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimluq%2Fsqrl-auth-daemon/lists"}