Changes between Initial Version and Version 1 of login-service


Ignore:
Timestamp:
Sep 5, 2013, 8:59:11 PM (6 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • login-service

    v1 v1  
     1= Login Service =
     2
     3May First/People Link provides a web-based API for verifying login credentials called "login-service". It is designed to allow applications to verify that a given username and password is valid. It takes as input a username, password, and application id, and responds with either a 1 (indicating invalid) or a 0 indicating a valid username and password.
     4
     5== Server side ==
     6
     7The server is running a python twisted web application, available via git: git://git.mayfirst.org/mfpl/login-service. It is currently installed on hay.mayfirst.org in /usr/local/share/login-service, listens on port 8080, requires tls, and is configured to use the members.mayfirst.org key and certificate.
     8
     9The application is managed by runit (via /etc/sv/login-service), so it should restart when the system restarts.
     10
     11The application runs as the login-service unix user. It also has access to it's own mysql username and password (configured via files in /etc/sv/login-service/env) that grant it the privilege of logging into the MySQL server on hay and of executing the `get_salt` and `valid_hash` MySQL procedures that enable it to verify a username and password witout having access to the table of usernames and passwords.
     12
     13One environment variable set via the file /etc/sv/login-service/env/LS_APP_IDS contains a space separated list of randomly generated strings that act as an application id. The idea is that each application that we configure to use the service will share a secret that is stored in this file. The shared secret helps prevent dictionary attacks against the service.
     14
     15== Client side ==
     16
     17Writing a client to interface with the login service is relatively easy.
     18
     19Here are a few examples:
     20
     21{{{
     22<?php
     23
     24function authenticate_user($user, $password, $app_id) {
     25  $url = 'https://members.mayfirst.org:8080/check?user=' . urlencode($user) .
     26   '&password=' . urlencode($password) . '&app_id=' . $app_id;
     27  $out = file_get_contents($url);
     28  if($out == "0") return TRUE;
     29  return FALSE;
     30}
     31?>
     32}}}
     33
     34{{{
     35#!/bin/bash
     36user="$1"
     37pass="$2"
     38app_id="$3"
     39out=$(curl "https://members.mayfirst.org:8080/check?user=$user&password=$pass&app_id=$3")
     40[ "$out" = "0" ] && exit 0
     41exit 1
     42}}}