| | 1 | = Login Service = |
| | 2 | |
| | 3 | May First/People Link provides a web-based API for verifying login credentials called "login-service". It is designed to allow applications to verify that a given username and password is valid. It takes as input a username, password, and application id, and responds with either a 1 (indicating invalid) or a 0 indicating a valid username and password. |
| | 4 | |
| | 5 | == Server side == |
| | 6 | |
| | 7 | The server is running a python twisted web application, available via git: git://git.mayfirst.org/mfpl/login-service. It is currently installed on hay.mayfirst.org in /usr/local/share/login-service, listens on port 8080, requires tls, and is configured to use the members.mayfirst.org key and certificate. |
| | 8 | |
| | 9 | The application is managed by runit (via /etc/sv/login-service), so it should restart when the system restarts. |
| | 10 | |
| | 11 | The application runs as the login-service unix user. It also has access to it's own mysql username and password (configured via files in /etc/sv/login-service/env) that grant it the privilege of logging into the MySQL server on hay and of executing the `get_salt` and `valid_hash` MySQL procedures that enable it to verify a username and password witout having access to the table of usernames and passwords. |
| | 12 | |
| | 13 | One environment variable set via the file /etc/sv/login-service/env/LS_APP_IDS contains a space separated list of randomly generated strings that act as an application id. The idea is that each application that we configure to use the service will share a secret that is stored in this file. The shared secret helps prevent dictionary attacks against the service. |
| | 14 | |
| | 15 | == Client side == |
| | 16 | |
| | 17 | Writing a client to interface with the login service is relatively easy. |
| | 18 | |
| | 19 | Here are a few examples: |
| | 20 | |
| | 21 | {{{ |
| | 22 | <?php |
| | 23 | |
| | 24 | function authenticate_user($user, $password, $app_id) { |
| | 25 | $url = 'https://members.mayfirst.org:8080/check?user=' . urlencode($user) . |
| | 26 | '&password=' . urlencode($password) . '&app_id=' . $app_id; |
| | 27 | $out = file_get_contents($url); |
| | 28 | if($out == "0") return TRUE; |
| | 29 | return FALSE; |
| | 30 | } |
| | 31 | ?> |
| | 32 | }}} |
| | 33 | |
| | 34 | {{{ |
| | 35 | #!/bin/bash |
| | 36 | user="$1" |
| | 37 | pass="$2" |
| | 38 | app_id="$3" |
| | 39 | out=$(curl "https://members.mayfirst.org:8080/check?user=$user&password=$pass&app_id=$3") |
| | 40 | [ "$out" = "0" ] && exit 0 |
| | 41 | exit 1 |
| | 42 | }}} |
