TokTok is a microservice (a REST API) for users management and authentication based on access and refresh JSON Web Tokens (JWT)
- this auth server was extracted / insulated / forked / adapted from solidata_backend project.
- compatible with the TADATA! sofware suite ( ApiViz / Solidata_frontend / OpenScraper )
- a simple server to manage users and authorizations based on JWT exchanges between client and server
- possibility to switch on/off some extra features as : RSA decryption/encryption, anonymous JWT, sending confirmation email
- Hi! Nice to see you around :)
- Check also the
prod_snippetsfolder if you encounter problems while installing locally or setting your server : install mongodb, set up supervisor, set up git, set up nginx, set up ubuntu... - If you want to contribute please check out our guidelines first
- Language : Python 3.6... praise be...
- Framework : Flask... minimalistic Python framework
- API : Flask-RestPlus... Swagger documentation integrated, praise be noirbizarre...
- Security : Flask-JWT-extended... wrapper JWT for Flask
- Emailing : Flask-email... templating, sending, etc...
- and more...
-
JWT (JSON Web Tokens) :
- access and refresh token for security over all the app
-
RSA encryption (optionnal)
- RSA encryption : server can send to the client a RSA public key for encryption client-side
- RSA decryption : server can decode forms (login/register) encoded client-side with the RSA public key
-
Users management :
- login / register user
- anonymous login (optionnal) : sends a JWT for an anonymous use. Can be expected by server for routes with
@anonymous_requireddecorator like/loginor/register - confirm email (optionnal in dev mode): confirm user by sending a confirmation link (protected) in an email
- password forgotten by sending a link (protected) in an email with redirection to new password form
- reset password from client interface (protected) ... s
-
Documentation
- on all API endpoints with Swagger (and some patience from the developers)
- user :
- edit user (working on)
- edit email (protect email update)
-
clone / fork the depo
git clone https://github.com/co-demos/toktok.git
-
create a virtual environment for Python3
python3 -m venv venv source venv/bin/activate pip install --upgrade pip pip install -r requirements.txt -
optionnal : create a secret config_file
config_prod.pyin the folder./auth_apibasedcp ./auth_api/config_prod_example.py ./auth_api/config_prod.py nano ./auth_api/config_prod.py
-
pay attention at the MONGO_URI variable depending on your local mongodb configuration...
- The following is the standard URI connection scheme (from mongo documentation):
mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
- The following is the standard URI connection scheme (from mongo documentation):
-
run the app in itts default mode (without possibility to send email) :
python appserver.py
-
test the following urls :
http://localhost:4100/api/auth/documentation http://localhost:4100/api/usr/documentation -
once you stop the app if no longer needed deactivate your virtual environment
deactivate
There are some options you can play with while running the service :
--mode:dev(default),dev_email,preprod,production--host: the IP of your server (default :localhost)--port: the port you want to run the app on (default :4100)--rsa: if you want receive the forms RSA encrypted and send the RSA public key (default :no)... protects the/login+/register+/password_forgotten+/reset_passwordendpoints--anojwt: if you need to check the presence/validity of an "anonymous_jwt" in the request (default :no)... protects the/login+/register+/password_forgottenendpoints--antispam: if you need to check the presence/validity" in the request (default :no)... protects at the/login+/register+/password_forgottenendpoints--antispam_val: if you need to check the validity of the content of theantispamfield in the form sent by the client (default : "")
In practice :
-
you can run the app in dev mode (with possibility to send email) :
python appserver.py --mode=dev_email
-
you can choose to deactivate the integrated RSA decryption in the
/loginand/registerendpointspython appserver.py --rsa=no
-
you can choose to activate the check for an anonymous JWT in the
/loginand/registerendpointspython appserver.py --anojwt=yes
-
you can choose to activate the antispam in the
/loginand/registerendpointspython appserver.py --antispam=yes --antispam_val=my-value
-
you can add up those options in the command line
python appserver.py --anojwt=no --rsa=yes --mode=dev_email --antispam=yes
-
for now we are using the following configuration
- droplet in digitalocean.com
- ubuntu 18.04
- 3Go RAM / 2CPU
- 60Go memory
-
configure your server (user, firewall...):
-
install mongodb :
-
install nginx :
-
install git on your server
- cf : docs 1 - basically :
sudo apt-get update sudo apt-get install git git --version
- go to your directory and init git :
git init . git remote add origin https://github.com/co-demos/toktok.git git pull origin master
- cf : docs 1 - basically :
-
same steps than for local installation (virtual env, install dependencies, config_prod.py file, ) ...
-
test to run the app in production mode (with possibility to send email) :
python appserver.py --mode=production
-
it is then necessary to set up some service on the server to run the app as daemon. You could use
supervisorfor instance (check our snippets and walkthrough here)
- not finding a simple enough open source solution resolving the following problem : having a third party service (on a distant server) able to serve reasonnably secure tokens and manage users, so to avoid to build/re-invent a custom authentication for login/register every time we work on an app...
- more, be able to share user/credentials between multiple services
- we looked at Oauth2.0 (but doesn't manage users per say), meteor-password (but dialog with websocket)...
- the SocialConnect project, aka "Carrefour des Innovations Sociales"
- the EIG program by Etalab
- the CGET
- Guillaume Lancrenon
- Julien Paris, developer (aka JPy on Twitter)
