Authentication gateway middle-man for simplifying OAuth requests with a plugin based architecture to allow quick iteration and implementation of new authentication schemes outside of normal or existing flows.
$ npm install guardian
$ node index.js -c <configuration>
Configuration files can be found in the config directory, when no configuration file is declared default.js is loaded, when declaring which file to use omit the js extension like so:
$ node index.js -c production
Basic Options:
host
You should set this to be the public ip or domain name as it is utilized to generate the callback uri.Default: localhost:3000
- protocol
Host protocol
Default: http
- port
Port on which guardian runs
Default: 3000
- pid.dir
Directory where the .guardian.pid file will be output, in production environments this is usually /home/<user>/, with trailing slash.
Default: ./
- redis.host
- redis.port
- redis.pass
Each endpoint functions as a step.
POST /store
Stores information given, returns hash to be used later on. 10 second life on the hashed information by default.
OAuth 2
Details specific to OAuth2
client_idclient_secretgrant_type
Highly dependant on flow state, and which flow you are accessing. Common values:authorization_codeclient_credentialspasswordrefresh_tokenbase_urlaccess_name access token name, default access_tokenauthorize_methodstatescopeOAuth 1
Details specific to OAuth 1.0a
consumer_keyconsumer_secretsignature_methodoauth_tokenAuthentication required
General information regarding authentication flow to load plugin.
auth_type a-z chars accepted onlyDefault: oauth
- auth_flow a-z_ chars accepted only
This would be a specific flow, a niche if you may. Echo, Owner Resources, etc.. Optional. -
auth_versionnumeric chars only What version ofauth_typeare we dealing with? Can be optional. -auth_legnumeric chars only What leg ofauth_typeis this?
These are combined to create the plugin file name which is composed like so:
type.lower + (flow? '_' + flow : '') + (version? '_' + version : '') + (leg? '_' + leg : '')
General
request_urlaccess_urlauthorize_urlcallback for access_token & access_secret responseGET /hash-check
Allows you to preview / verify your stored information in-case of error or malformed response.
Once again, stored information by default lasts only 10 seconds.
hashALL /start
Begins guardian transactions and authentication steps. These steps are passed with a 302 request and should be followed.
hashOAuth 1.0a
Used in the OAuth 1.0a Signature Process for 1-Legged requests. Example.
url Calling URL, query parameters from here are parsed so you don't need to place them in parameters... I don't think.method Calling Methodbody Calling Payload or Bodyparameters Calling Parameters for Request Signatures or etc...Each test in the test folder is based on an API or feature of guardian rather than TDD or BDD based tests, we simply verify whether the authentication succeeds and we get a response from the API about the API information rather than Authentication information.
Each API based test will require something of the likes:
$ node tests/api.js -k {Your Consumer/Client Key/Id} -s {Your Consumer/Client Secret} -h {host, ie: localhost or domain}
You will recieve a response with the headers sent, and the returned response from the API, guardian must be running locally for these tests to work and on the port 3000. Unless you alter these files~
Originally called gatekeeper, but someone else had that and no other names seemed appropriate for what this does so we went with guardian which is another form of a gatekeeper.
—
$ claude mcp add guardian \
-- python -m otcore.mcp_server <graph>