MCPcopy
hub / github.com/qvest-digital/loginsrv

github.com/qvest-digital/loginsrv @v1.3.1 sqlite

repository ↗ · DeepWiki ↗ · release v1.3.1 ↗
370 symbols 1,436 edges 68 files 105 documented · 28%
README

loginsrv

loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends.

Docker Build Status Go Report Card Coverage Status Join the chat at https://gitter.im/tarent/loginsrv

Attention: Update to v1.3.0 for Google Login Update !!!!

Google will stop support for the Google+ APIs. So we changed loginsrv to use the standard oauth endpoints for Google login. Please update loginsrv to v1.3.0 if you are using google login.

Attention: Since v1.3.0, pure HTTP is not supported by default

Since v1.3.0, loginsrv sets the secure flag for the login cookie. So, if you use HTTP fo connect with the browser, e.g. for testing, you browser will ignore the cookie. Use the flag -cookie-secure=false when testing without HTTPS.

Abstract

Loginsrv provides a minimal endpoint for authentication. The login is performed against the providers and returned as a JSON Web Token (JWT). It can be used as:

  • Standalone microservice
  • Docker container
  • Golang library
  • Caddy plugin. (See caddy/README.md for details)

Supported Provider Backends

The following providers (login backends) are supported.

Questions

For questions and support please use the Gitter chat room.

Join the chat at https://gitter.im/tarent/loginsrv

Configuration and Startup

Config Options

Note for Caddy users: Not all parameters are available in Caddy. See the table for details. With Caddy, the parameter names can also be used with _ in the names, e.g. cookie_http_only.

Parameter Type Default Caddy Description
-cookie-domain string X Optional domain parameter for the cookie
-cookie-expiry string session X Expiry duration for the cookie, e.g. 2h or 3h30m
-cookie-http-only boolean true X Set the cookie with the HTTP only flag
-cookie-name string "jwt_token" X Name of the JWT cookie
-cookie-secure boolean true X Set the secure flag on the JWT cookie. (Set this to false for plain HTTP support)
-github value X OAuth config in the form: client_id=..,client_secret=..[,scope=..][,redirect_uri=..]
-google value X OAuth config in the form: client_id=..,client_secret=..[,scope=..][,redirect_uri=..]
-bitbucket value X OAuth config in the form: client_id=..,client_secret=..[,scope=..][,redirect_uri=..]
-facebook value X OAuth config in the form: client_id=..,client_secret=..[,scope=..][,redirect_uri=..]
-gitlab value X OAuth config in the form: client_id=..,client_secret=..[,scope=..,][redirect_uri=..]
-host string "localhost" - Host to listen on
-htpasswd value X Htpasswd login backend opts: file=/path/to/pwdfile
-jwt-expiry go duration 24h X Expiry duration for the JWT token, e.g. 2h or 3h30m
-jwt-secret string "random key" X Secret used to sign the JWT token. (See caddy/README.md for details.)
-jwt-algo string "HS512" X Signing algorithm to use (ES256, ES384, ES512, HS512, HS256, HS384, HS512)
-log-level string "info" - Log level
-login-path string "/login" X Path of the login resource
-logout-url string X URL or path to redirect to after logout
-osiam value X OSIAM login backend opts: endpoint=..,client_id=..,client_secret=..
-port string "6789" - Port to listen on
-redirect boolean true X Allow dynamic overwriting of the the success by query parameter
-redirect-query-parameter string "backTo" X URL parameter for the redirect target
-redirect-check-referer boolean true X Check the referer header to ensure it matches the host header on dynamic redirects
-redirect-host-file string "" X A file containing a list of domains that redirects are allowed to, one domain per line
-simple value X Simple login backend opts: user1=password,user2=password,..
-success-url string "/" X URL to redirect to after login
-prevent-external-redirects boolean true X Prevent dynamic redirects to external domains
-template string X An alternative template for the login form
-text-logging boolean true - Log in text format instead of JSON
-jwt-refreshes int 0 X The maximum number of JWT refreshes
-grace-period go duration 5s - Duration to wait after SIGINT/SIGTERM for existing requests. No new requests are accepted.
-user-file string X A YAML file with user specific data for the tokens. (see below for an example)
-user-endpoint string X URL of an endpoint providing user specific data for the tokens. (see below for an example)
-user-endpoint-token string X Authentication token used when communicating with the user endpoint
-user-endpoint-timeout go duration 5s X Timeout used when communicating with the user endpoint

Environment Variables

All of the above Config Options can also be applied as environment variables by using variables named this way: LOGINSRV_OPTION_NAME. So e.g. jwt-secret can be set by environment variable LOGINSRV_JWT_SECRET.

Startup Examples

The simplest way to use loginsrv is by the provided docker container. E.g. configured with the simple provider:

$ docker run -d -p 8080:8080 tarent/loginsrv -cookie-secure=false -jwt-secret my_secret -simple bob=secret

$ curl --data "username=bob&password=secret" 127.0.0.1:8080/login
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJib2IifQ.uWoJkSXTLA_RvfLKe12pb4CyxQNxe5_Ovw-N5wfQwkzXz2enbhA9JZf8MmTp9n-TTDcWdY3Fd1SA72_M20G9lQ

The same configuration could be written with environment variables this way:

$ docker run -d -p 8080:8080 -E COOKIE_SECURE=false -e LOGINSRV_JWT_SECRET=my_secret -e LOGINSRV_BACKEND=provider=simple,bob=secret tarent/loginsrv

API

GET /login

Per default, it returns a simple bootstrap styled login form for unauthenticated requests and a page with user info for authenticated requests. When the call accepts a JSON output, the json content of the token is returned to authenticated requests.

The returned HTML follows the UI composition conventions from (lib-compose)[https://github.com/tarent/lib-compose], so it can be embedded into an existing layout.

Parameter-Type Parameter Description
Http-Header Accept: text/html Return the login form or user html. default
Http-Header Accept: application/json Return the user Object as json, or 403 if not authenticated.

GET /login/

Starts the OAuth Web Flow with the configured provider. E.g. GET /login/github redirects to the GitHub login form.

POST /login

Performs the login and returns the JWT. Depending on the content-type and parameters, a classical JSON-Rest or a redirect can be performed.

Runtime Parameters

Parameter-Type Parameter Description
Http-Header Accept: text/html Set the JWT as a cookie named 'jwt_token' default
Http-Header Accept: application/jwt Returns the JWT within the body. No cookie is set
Http-Header Content-Type: application/x-www-form-urlencoded Expect the credentials as form encoded parameters default
Http-Header Content-Type: application/json Take the credentials from the provided JSON object
Post-Parameter username The username
Post-Parameter password The password
Get or Post backTo Dynamic redirect target after login (see (Redirects)[#redirects]) -success-url

Possible Return Codes

Code Meaning Description
200 OK Successfully authenticated
403 Forbidden The credentials are wrong
400 Bad Request Missing parameters
500 Internal Server Error Internal error, e.g. the login provider is not available or failed
303 See Other Sets the JWT as a cookie, if the login succeeds and redirect to the URLs provided in redirectSuccess or redirectError

Hint: The status 401 Unauthorized is not used as a return code to not conflict with an HTTP Basic authentication.

JWT-Refresh

If the POST-Parameters for username and password are missing and a valid JWT-Cookie is part of the request, then the JWT-Cookie is refreshed. This only happens if the jwt-refreshes config option is set to a value greater than 0.

DELETE /login

Deletes the JWT cookie.

For simple usage in web applications, thi

Extension points exported contracts — how you extend this code

Backend (Interface)
Backend is an loginsrv authentication extension [6 implementers]
login/backend.go
Provider (FuncType)
Provider is a factory method for creation of login backends.
login/provider.go
UserClaims (Interface)
(no doc) [2 implementers]
login/user_claims.go

Core symbols most depended-on inside this repo

Set
called by 66
login/config.go
String
called by 50
login/config.go
Write
called by 31
logging/log_middleware.go
WriteHeader
called by 31
logging/log_middleware.go
DefaultConfig
called by 20
login/config.go
Application
called by 16
logging/logger.go
Authenticate
called by 14
htpasswd/auth.go
ServeHTTP
called by 14
login/handler.go

Shape

Function 248
Method 72
Struct 41
FuncType 3
Interface 3
TypeAlias 3

Languages

Go100%

Modules by API surface

login/handler_test.go39 symbols
login/handler.go27 symbols
logging/logger_test.go17 symbols
login/config.go15 symbols
logging/logger.go14 symbols
htpasswd/auth_test.go10 symbols
oauth2/oauth_test.go9 symbols
login/user_claims_provider_test.go9 symbols
oauth2/oauth.go8 symbols
oauth2/manager.go8 symbols
oauth2/gitlab_test.go8 symbols
htpasswd/auth.go8 symbols

Dependencies from manifests, versioned

github.com/abbot/go-http-authv0.4.0 · 1×
github.com/dgrijalva/jwt-gov3.2.0+incompatible · 1×
github.com/tarent/lib-composev0.0.0-2017082911380 · 1×
github.com/tarent/logrusv0.11.5 · 1×
golang.org/x/cryptov0.0.0-2019070109494 · 1×
gopkg.in/yaml.v2v2.2.2 · 1×

For agents

$ claude mcp add loginsrv \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact