Version 4 (modified by Jamie McClelland, 6 years ago) (diff)


Login Service

May First/People Link provides a web-based API for verifying login credentials called "login-service". It is designed to allow applications to verify that a given username and password is valid. It takes as input a username, password, and application id, and responds with either a 1 (indicating invalid) or a 0 indicating a valid username and password.

Server side

The server is running a python twisted web application, available via git: git:// It is currently installed on in /usr/local/share/login-service, listens on port 8080, requires tls, and is configured to use the key and certificate.

The application is managed by runit (via /etc/sv/login-service), so it should restart when the system restarts.

The application runs as the login-service unix user. It also has access to it's own mysql username and password (configured via files in /etc/sv/login-service/env) that grant it the privilege of logging into the MySQL server on hay and of executing the get_salt and valid_hash MySQL procedures that enable it to verify a username and password witout having access to the table of usernames and passwords.

One environment variable set via the file /etc/sv/login-service/env/LS_APP_IDS contains a space separated list of randomly generated strings that act as an application id. The idea is that each application that we configure to use the service will share a secret that is stored in this file. The shared secret helps prevent dictionary attacks against the service.

Client side

Writing a client to interface with the login service is relatively easy.

Here are a few examples:


function authenticate_user($user, $password, $app_id) {
  $url = '' . urlencode($user) .
   '&password=' . urlencode($password) . '&app_id=' . $app_id;
  $out = file_get_contents($url);
  if($out == "yes") return TRUE; 
  return FALSE;
out=$(curl -s "$user&password=$pass&app_id=$3")
[ "$out" = "yes" ] && exit 0
exit 1