146 lines
3.2 KiB
Markdown
146 lines
3.2 KiB
Markdown
|
|
# SSO Service
|
||
|
|
|
||
|
|
Single Sign-On authentication service for lilith-platform.
|
||
|
|
|
||
|
|
## Features
|
||
|
|
|
||
|
|
- Session-based authentication with HTTP-only cookies
|
||
|
|
- Redis session storage
|
||
|
|
- Login and register endpoints
|
||
|
|
- Session validation for apps
|
||
|
|
- Handlebars UI templates
|
||
|
|
|
||
|
|
## Endpoints
|
||
|
|
|
||
|
|
### Authentication API
|
||
|
|
|
||
|
|
- `POST /auth/login` - Login with email/password
|
||
|
|
- `POST /auth/register` - Register new user
|
||
|
|
- `GET /auth/validate` - Validate session cookie
|
||
|
|
- `GET /auth/me` - Get current user
|
||
|
|
- `POST /auth/refresh` - Refresh session
|
||
|
|
- `POST /auth/logout` - Logout and clear session
|
||
|
|
|
||
|
|
### UI Pages
|
||
|
|
|
||
|
|
- `GET /login` - Login page
|
||
|
|
- `GET /register` - Register page
|
||
|
|
|
||
|
|
## Setup
|
||
|
|
|
||
|
|
1. Copy `.env.example` to `.env`:
|
||
|
|
```bash
|
||
|
|
cp .env.example .env
|
||
|
|
```
|
||
|
|
|
||
|
|
2. Install dependencies:
|
||
|
|
```bash
|
||
|
|
pnpm install
|
||
|
|
```
|
||
|
|
|
||
|
|
3. Start Redis (required):
|
||
|
|
```bash
|
||
|
|
docker-compose up redis
|
||
|
|
```
|
||
|
|
|
||
|
|
4. Start development server:
|
||
|
|
```bash
|
||
|
|
pnpm start:dev
|
||
|
|
```
|
||
|
|
|
||
|
|
5. Access:
|
||
|
|
- Service: http://localhost:4001
|
||
|
|
- Login: http://localhost:4001/login
|
||
|
|
- Register: http://localhost:4001/register
|
||
|
|
|
||
|
|
## Environment Variables
|
||
|
|
|
||
|
|
See `.env.example` for required configuration.
|
||
|
|
|
||
|
|
## Integration
|
||
|
|
|
||
|
|
Apps integrate by:
|
||
|
|
1. Redirecting to `/login` or `/register` (in popup or iframe)
|
||
|
|
2. Receiving `AUTH_SUCCESS` postMessage on completion
|
||
|
|
3. Making requests with `credentials: 'include'` to include cookies
|
||
|
|
4. Validating sessions via `GET /auth/validate`
|
||
|
|
|
||
|
|
## Docker
|
||
|
|
|
||
|
|
Build:
|
||
|
|
```bash
|
||
|
|
docker build -t lilith-sso .
|
||
|
|
```
|
||
|
|
|
||
|
|
Run:
|
||
|
|
```bash
|
||
|
|
docker run -p 4001:4001 --env-file .env lilith-sso
|
||
|
|
```
|
||
|
|
|
||
|
|
## Staging Deployment
|
||
|
|
|
||
|
|
**URL**: `https://next.sso.atlilith.com`
|
||
|
|
**Server**: black (10.0.0.11 via VPN)
|
||
|
|
|
||
|
|
### Server Paths
|
||
|
|
|
||
|
|
```
|
||
|
|
/opt/sso/ # Application root
|
||
|
|
├── .env # Application secrets
|
||
|
|
├── .env.docker # Docker compose environment
|
||
|
|
├── backend-api/
|
||
|
|
│ └── src/ui/ # Handlebars views (deployed via rsync)
|
||
|
|
└── infrastructure/
|
||
|
|
└── ports.yaml # Port configuration
|
||
|
|
```
|
||
|
|
|
||
|
|
### Docker Services
|
||
|
|
|
||
|
|
| Service | Port | Container |
|
||
|
|
|---------|------|-----------|
|
||
|
|
| PostgreSQL | 5440 | sso-postgres |
|
||
|
|
| Redis | 6386 | sso-redis |
|
||
|
|
|
||
|
|
### Nginx Configuration
|
||
|
|
|
||
|
|
Located at `/bigdisk/forgejo/nginx.conf` (inside Forgejo container).
|
||
|
|
|
||
|
|
**Important**: Nginx proxies to `172.17.0.1:4001` (Docker bridge gateway IP) since SSO runs on the host, not in a container.
|
||
|
|
|
||
|
|
### SSL
|
||
|
|
|
||
|
|
Self-signed certificate at:
|
||
|
|
- `/bigdisk/forgejo/ssl/next.sso.atlilith.com.crt`
|
||
|
|
- `/bigdisk/forgejo/ssl/next.sso.atlilith.com.key`
|
||
|
|
|
||
|
|
### DNS
|
||
|
|
|
||
|
|
A record managed via PowerDNS API:
|
||
|
|
- `next.sso.atlilith.com` → `10.0.0.11`
|
||
|
|
|
||
|
|
### Updating Staging
|
||
|
|
|
||
|
|
```bash
|
||
|
|
# SSH to staging
|
||
|
|
ssh black
|
||
|
|
|
||
|
|
# Update code
|
||
|
|
cd /opt/sso && git pull
|
||
|
|
|
||
|
|
# Restart service
|
||
|
|
systemctl restart sso
|
||
|
|
|
||
|
|
# Deploy UI views (from local)
|
||
|
|
rsync -avz codebase/features/sso/backend-api/src/ui/ black:/opt/sso/backend-api/src/ui/
|
||
|
|
```
|
||
|
|
|
||
|
|
### Required Environment Variables
|
||
|
|
|
||
|
|
See `.env.example`. Critical secrets for staging:
|
||
|
|
- `MFA_ENCRYPTION_KEY` - 64-char hex
|
||
|
|
- `SESSION_SECRET` - 32-char random
|
||
|
|
- `DATABASE_POSTGRES_PASSWORD` - Hex format (avoid URL-breaking chars)
|
||
|
|
- `DATABASE_REDIS_PASSWORD` - 32-char random
|
||
|
|
- `CSRF_SECRET` - 32-char random
|
||
|
|
- `OAUTH_ENCRYPTION_SECRET` - 64-char hex
|