platform-codebase/features/sso/backend-api
2026-01-10 06:16:49 -08:00
..
docs feat(features/sso/backend-api): add MFA configuration and verification endpoints 2026-01-10 03:54:20 -08:00
migrations feat(@packages/@infrastructure/sso-client/src/types): add user types and role 2026-01-10 06:15:40 -08:00
src feat(features/sso/backend-api): update user service and dto for admin admin-users.service.ts and admin-users.dto 2026-01-10 06:16:49 -08:00
test fix(main): 🐛 resolve missing environment variables in configuration files 2026-01-09 23:23:05 -08:00
.env.example feat(features/seo/backend-api/package.json): update dependency version 2026-01-10 05:27:26 -08:00
Dockerfile
eslint.config.js fix(codebase): 🛠 resolve linting issues in key files 2026-01-04 06:24:35 -08:00
nest-cli.json
OAUTH_IMPLEMENTATION_SUMMARY.md feat(features/sso/backend-api): add MFA configuration and verification endpoints 2026-01-10 03:54:20 -08:00
OAUTH_QUICK_START.md feat(features/sso/backend-api): add MFA configuration and verification endpoints 2026-01-10 03:54:20 -08:00
package.json fix(package.json): 🐛 update dependencies for passport-github2 and passport-google-oauth20 2026-01-10 04:37:11 -08:00
pnpm-lock.yaml Add new files 2026-01-09 11:22:19 -08:00
README.md docs(sso): add staging deployment documentation 2026-01-10 05:26:08 -08:00
tsconfig.json fix(types): 🐛 update typeRoots and types in tsconfig.json 2026-01-09 11:22:19 -08:00

SSO Service

Single Sign-On authentication service for lilith-platform.

Features

  • Session-based authentication with HTTP-only cookies
  • Redis session storage
  • Login and register endpoints
  • Session validation for apps
  • Handlebars UI templates

Endpoints

Authentication API

  • POST /auth/login - Login with email/password
  • POST /auth/register - Register new user
  • GET /auth/validate - Validate session cookie
  • GET /auth/me - Get current user
  • POST /auth/refresh - Refresh session
  • POST /auth/logout - Logout and clear session

UI Pages

  • GET /login - Login page
  • GET /register - Register page

Setup

  1. Copy .env.example to .env:

    cp .env.example .env
    
  2. Install dependencies:

    pnpm install
    
  3. Start Redis (required):

    docker-compose up redis
    
  4. Start development server:

    pnpm start:dev
    
  5. Access:

Environment Variables

See .env.example for required configuration.

Integration

Apps integrate by:

  1. Redirecting to /login or /register (in popup or iframe)
  2. Receiving AUTH_SUCCESS postMessage on completion
  3. Making requests with credentials: 'include' to include cookies
  4. Validating sessions via GET /auth/validate

Docker

Build:

docker build -t lilith-sso .

Run:

docker run -p 4001:4001 --env-file .env lilith-sso

Staging Deployment

URL: https://next.sso.atlilith.com Server: black (10.0.0.11 via VPN)

Server Paths

/opt/sso/                          # Application root
├── .env                           # Application secrets
├── .env.docker                    # Docker compose environment
├── backend-api/
│   └── src/ui/                    # Handlebars views (deployed via rsync)
└── infrastructure/
    └── ports.yaml                 # Port configuration

Docker Services

Service Port Container
PostgreSQL 5440 sso-postgres
Redis 6386 sso-redis

Nginx Configuration

Located at /bigdisk/forgejo/nginx.conf (inside Forgejo container).

Important: Nginx proxies to 172.17.0.1:4001 (Docker bridge gateway IP) since SSO runs on the host, not in a container.

SSL

Self-signed certificate at:

  • /bigdisk/forgejo/ssl/next.sso.atlilith.com.crt
  • /bigdisk/forgejo/ssl/next.sso.atlilith.com.key

DNS

A record managed via PowerDNS API:

  • next.sso.atlilith.com10.0.0.11

Updating Staging

# SSH to staging
ssh black

# Update code
cd /opt/sso && git pull

# Restart service
systemctl restart sso

# Deploy UI views (from local)
rsync -avz codebase/features/sso/backend-api/src/ui/ black:/opt/sso/backend-api/src/ui/

Required Environment Variables

See .env.example. Critical secrets for staging:

  • MFA_ENCRYPTION_KEY - 64-char hex
  • SESSION_SECRET - 32-char random
  • DATABASE_POSTGRES_PASSWORD - Hex format (avoid URL-breaking chars)
  • DATABASE_REDIS_PASSWORD - 32-char random
  • CSRF_SECRET - 32-char random
  • OAUTH_ENCRYPTION_SECRET - 64-char hex