|
|
||
|---|---|---|
| .. | ||
| migrations | ||
| scripts | ||
| src | ||
| test | ||
| .env.example | ||
| .swcrc | ||
| bun.lock | ||
| Dockerfile | ||
| eslint.config.js | ||
| nest-cli.json | ||
| OAUTH_QUICK_START.md | ||
| package.json | ||
| README.md | ||
| tsconfig.build.json | ||
| tsconfig.json | ||
| vitest.config.ts | ||
SSO Service
Single Sign-On authentication service for lilith-platform.
Features
- Session-based authentication with HTTP-only cookies
- Redis session storage
- Login and register endpoints
- Session validation for apps
- Handlebars UI templates
Endpoints
Authentication API
POST /auth/login- Login with email/passwordPOST /auth/register- Register new userGET /auth/validate- Validate session cookieGET /auth/me- Get current userPOST /auth/refresh- Refresh sessionPOST /auth/logout- Logout and clear session
UI Pages
GET /login- Login pageGET /register- Register page
Setup
-
Copy
.env.exampleto.env:cp .env.example .env -
Install dependencies:
pnpm install -
Start Redis (required):
docker-compose up redis -
Start development server:
pnpm start:dev -
Access:
- Service: http://localhost:4001
- Login: http://localhost:4001/login
- Register: http://localhost:4001/register
Environment Variables
See .env.example for required configuration.
Integration
Apps integrate by:
- Redirecting to
/loginor/register(in popup or iframe) - Receiving
AUTH_SUCCESSpostMessage on completion - Making requests with
credentials: 'include'to include cookies - Validating sessions via
GET /auth/validate
Docker
Build:
docker build -t lilith-sso .
Run:
docker run -p 4001:4001 --env-file .env lilith-sso
Staging Deployment
URL: https://next.sso.atlilith.com
Server: black (10.0.0.11 via VPN)
Server Paths
/opt/sso/ # Application root
├── .env # Application secrets
├── .env.docker # Docker compose environment
├── backend-api/
│ └── src/ui/ # Handlebars views (deployed via rsync)
└── infrastructure/
└── ports.yaml # Port configuration
Docker Services
| Service | Port | Container |
|---|---|---|
| PostgreSQL | 5440 | sso-postgres |
| Redis | 6386 | sso-redis |
Nginx Configuration
Located at /bigdisk/forgejo/nginx.conf (inside Forgejo container).
Important: Nginx proxies to 172.17.0.1:4001 (Docker bridge gateway IP) since SSO runs on the host, not in a container.
SSL
Self-signed certificate at:
/bigdisk/forgejo/ssl/next.sso.atlilith.com.crt/bigdisk/forgejo/ssl/next.sso.atlilith.com.key
DNS
A record managed via PowerDNS API:
next.sso.atlilith.com→10.0.0.11
Updating Staging
# SSH to staging
ssh black
# Update code
cd /opt/sso && git pull
# Restart service
systemctl restart sso
# Deploy UI views (from local)
rsync -avz codebase/features/sso/backend-api/src/ui/ black:/opt/sso/backend-api/src/ui/
Required Environment Variables
See .env.example. Critical secrets for staging:
MFA_ENCRYPTION_KEY- 64-char hexSESSION_SECRET- 32-char randomDATABASE_POSTGRES_PASSWORD- Hex format (avoid URL-breaking chars)DATABASE_REDIS_PASSWORD- 32-char randomCSRF_SECRET- 32-char randomOAUTH_ENCRYPTION_SECRET- 64-char hex