GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → KensoDev → micro-auth-proxy

KensoDev / micro-auth-proxy

Licence: MIT license
Github Auth proxy designed for micro-apps with static client and an API server

Programming Languages

go
31211 projects - #10 most used programming language
Smarty
1635 projects
HTML
75241 projects

Labels

internal-toolsauthenticationfrontendbackendproxy

Projects that are alternatives of or similar to micro-auth-proxy

meow
Daily Bruin's homemade social media manager
Stars: ✭ 42 (+35.48%)
Mutual labels:  internal-tools
Appsmith
Low code project to build admin panels, internal tools, and dashboards. Integrates with 15+ databases and any API.
Stars: ✭ 12,079 (+38864.52%)
Mutual labels:  internal-tools
Budibase
Budibase is an open-source low-code platform for creating internal apps in minutes. Supports PostgreSQL, MySQL, MSSQL, MongoDB, Rest API, Docker, K8s 🚀
Stars: ✭ 8,071 (+25935.48%)
Mutual labels:  internal-tools
basetool
Open-source internal tool framework. 💪 Empower your team and collaborators to view and manage the data you already own in a nice easy-to-use protected tool. Basetool helps you have a better handle on your data in a collaborative way so you can focus on moving your business forward.
Stars: ✭ 160 (+416.13%)
Mutual labels:  internal-tools

micro-auth-proxy

Transparent auth reverse proxy designed for micro-apps with static client and an API server.

This project is built to serve internal projects at your company. Those can include dashboard, internal tools and others.

It is built with ACL and Docker deployment in mind and fits a very broad use case that can really serve any company that requires authentication for internal tools without messing with auth for every single project.

Overall architecture

Auth proxy architecture

This is built to protext "upstreams" behind an auth backend (Currently only supports github).

Say you have 2 upstreams configured:

// REDACTED
  "upstreams": [
    {
      "type": "http",
      "prefix": "/",
      "location": "https://bdf682c0.ngrok.io"
    },
    {
      "type": "http",
      "prefix": "/api/",
      "location": "https://6cc1b022.ngrok.io"
    }
  ]
// REDACTED

Any request starting with /api/ will be routed through to your backend server. Anything else / will go to the client.

Because request are no longer routed directly from the client to the server, you will not have to define CORS or any sort of absolute URL on the client. You simply call /api if the client is behind the proxy and it will do the rest.

Features

  • Limiting users by username on Github
  • Restrict to a single http method. Some users will only be able to do GET and the rest can do anything. This comes in REALLY handy when you want to limit view vs edit without worrying about it on your backend.
  • Memorize the tokens, we don't DDOs gihub. Once a token has been verified it will be memorized and will not be checked.
  • Save the token in the cookie for the user (See limitations regarding this feature).
  • Docker friendly: Upstreams can be only visible to the main docker container and not accessible to the public. This makes the proxy the only gate to the code and you have to authenticate first.

Configuration

Config file

{
  "authContext": "github",
  "users": [
    {
      "username": "KensoDev"
    },
    {
      "username": "KensoDev2",
      "restrict": "GET"
    }
  ],
  "upstreams": [
    {
      "type": "http",
      "prefix": "/",
      "location": "https://bdf682c0.ngrok.io"
    },
    {
      "type": "http",
      "prefix": "/api/",
      "location": "https://6cc1b022.ngrok.io"
    }
  ]
}
  • users - Users that are allowed to access your app.
  • upstreams - HTTP supported upstreams that the proxy will call
  • authContext - Authentication context you want to use. Currently only supports github, see design docs for the interface implemented.

Env Vars

For Github

ENV vars you'll need to config in order for the proxy to work

  CLIENT_ID
  CLIENT_SECRET

For Auth0

// TODO

These are your Github Client ID and Client secret from the Oauth page.

Usage

usage: authproxy --listen-port=LISTEN-PORT --config-location=CONFIG-LOCATION [<flags>]

Flags:
  --help                     Show context-sensitive help (also try --help-long and --help-man).
  --listen=LISTEN-PORT  Which port should the proxy listen on
  --config=CONFIG-LOCATION
                             Proxy Config Location

Limitations

  • Currently, for V1, this only supports HTTP backend. So for example if you have a frontend and a backend, you can host your frontend on some service that support HTTP endpoint. eg: S3 with static hosting. Some heroku or anything that will give you a valid web address.

  • If you have a client side app calling to a server side through the proxy (which is what this is designed for), you will need to pass in the cookie for all server requests.

    If you are using fetch, you will need to use { credentials: "include" }. This will make sure that the github token will get passed through to the proxy and it will direct the request to the server and not redirect to Github all over again.

  • From your client side, you can either call the PROXY url as the backend or simply use the prefix /api you defined in your configuration.

Design Decisions and architecture

The authentication context

The authentication context is the class used in order to check whether a user is valid, whether the action they try to do is allowed or not.

The interface supports a token and a username and returns simple objects such as strings and booleans.

This was done by design in order to allow you to extend it and add many other contexts beyond Github such as Auth0, Google and so on.

IsAccessTokenValidAndUserAuthorized(accessToken string) bool

This method is used to validate the token and check whether the user is authorized. Checking whether they're included in the list of users or not

GetUserName(accessToken sting) string

Passing in an access token, this should return the username as a string

GetHTTPEndpointPrefix() string

What endpoint does the external service used to authentication needs exposing.

For example, Github wants you to expose a /callback which they send a code to. You can read more about it here in the docs.

ServeHTTP(w http.ResponseWriter, req *http.Request)

Your auth context needs to expose an HTTP handler in order to handle the callback from the service.

Github Auth Context Token Memoization Process

Once you have a Github Token in the http cookie, the proxy will validate that token against Github. Make sure the user is authorized (from the user list) and will not validate again.

The cookie expiration is set for 24 hours, when you authenticate again, you will get revalidated.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].